Package org.springframework.vault.authentication

Class GcpIamCredentialsAuthentication

java.lang.Object

org.springframework.vault.authentication.GcpJwtAuthenticationSupport

org.springframework.vault.authentication.GcpIamCredentialsAuthentication

All Implemented Interfaces:

ClientAuthentication

public class GcpIamCredentialsAuthentication
extends GcpJwtAuthenticationSupport
implements ClientAuthentication

Google Cloud IAM credentials login implementation using GCP IAM service accounts to legitimate its authenticity via JSON Web Token using the IAM Credentials projects.serviceAccounts.signJwt method.

This authentication method uses Googles IAM Credentials API to obtain a signed token for a specific GoogleCredentials. Service account details are obtained from a GoogleCredentials that can be retrieved either from a JSON file or the runtime environment (GAE, GCE).

GcpIamCredentialsAuthentication uses Google Java API that uses synchronous API.

Since:

2.3.2

Author:

Andreas Gebauer, Mark Paluch

See Also:

• GcpIamCredentialsAuthenticationOptions
• HttpTransport
• GoogleCredentials
• GoogleCredentials.getApplicationDefault()
• VaultClient
• Auth Method: gcp (IAM)
• GCP: projects.serviceAccounts.signJwt

Constructor Summary

Constructors

Constructor	Description
GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options, VaultClient vaultClient)	Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions and VaultClient.
GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options, VaultClient vaultClient, com.google.api.gax.rpc.TransportChannelProvider transportChannelProvider)	Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions, VaultClient and TransportChannelProvider.
GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options, RestClient vaultClient)	Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions and RestClient.
GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options, RestClient vaultClient, com.google.api.gax.rpc.TransportChannelProvider transportChannelProvider)	Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions, RestOperations and TransportChannelProvider.
GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options, RestOperations restOperations)	Deprecated. since 4.1, use GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions, VaultClient) instead.
GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options, RestOperations restOperations, com.google.api.gax.rpc.TransportChannelProvider transportChannelProvider)	Deprecated. since 4.1, use GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions, VaultClient, TransportChannelProvider) instead.

Method Summary

Modifier and Type	Method	Description
VaultToken	login()	Obtain a VaultToken for authenticated Vault access.
protected String	signJwt()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

GcpIamCredentialsAuthentication

@Deprecated(since="4.1")
public GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options,
 RestOperations restOperations)

Deprecated.

since 4.1, use GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions, VaultClient) instead.

Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions and RestOperations. This constructor initializes InstantiatingGrpcChannelProvider for Google API usage.

Parameters:

options - must not be null.

restOperations - HTTP client for Vault login, must not be null.

GcpIamCredentialsAuthentication

@Deprecated(since="4.1")
public GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options,
 RestOperations restOperations,
 com.google.api.gax.rpc.TransportChannelProvider transportChannelProvider)

Deprecated.

since 4.1, use GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions, VaultClient, TransportChannelProvider) instead.

Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions, RestOperations and TransportChannelProvider.

Parameters:

options - must not be null.

restOperations - HTTP client for Vault login, must not be null.

transportChannelProvider - Provider for transport channel Google API use, must not be null.

GcpIamCredentialsAuthentication

public GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options,
 RestClient vaultClient)

Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions and RestClient. This constructor initializes InstantiatingGrpcChannelProvider for Google API usage.

Parameters:

options - must not be null.

vaultClient - HTTP client for Vault login, must not be null.

Since:

4.0

GcpIamCredentialsAuthentication

public GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options,
 RestClient vaultClient,
 com.google.api.gax.rpc.TransportChannelProvider transportChannelProvider)

Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions, RestOperations and TransportChannelProvider.

Parameters:

options - must not be null.

vaultClient - HTTP client for Vault login, must not be null.

transportChannelProvider - Provider for transport channel Google API use, must not be null.

Since:

4.0

GcpIamCredentialsAuthentication

public GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options,
 VaultClient vaultClient)

Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions and VaultClient. This constructor initializes InstantiatingGrpcChannelProvider for Google API usage.

Parameters:

options - must not be null.

vaultClient - client for Vault login, must not be null.

Since:

4.1

GcpIamCredentialsAuthentication

public GcpIamCredentialsAuthentication(GcpIamCredentialsAuthenticationOptions options,
 VaultClient vaultClient,
 com.google.api.gax.rpc.TransportChannelProvider transportChannelProvider)

Create a new instance of GcpIamCredentialsAuthentication given GcpIamCredentialsAuthenticationOptions, VaultClient and TransportChannelProvider.

Parameters:

options - must not be null.

vaultClient - client for Vault login, must not be null.

transportChannelProvider - Provider for transport channel Google API use, must not be null.

Since:

4.1

Method Details

login

public VaultToken login()
                 throws VaultException

Description copied from interface: ClientAuthentication

Obtain a VaultToken for authenticated Vault access.

This method may perform an authentication request to Vault or return a cached or pre-configured token.

Specified by:

login in interface ClientAuthentication

Returns:

the Vault token for subsequent authenticated requests

Throws:

VaultLoginException - if authentication fails.

VaultException

See Also:

• LoginToken

signJwt

protected String signJwt()