From 527ad4b52cfda9361de922dcf9014d591f3ad8ff Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Wed, 7 Feb 2024 09:54:02 -0800 Subject: [PATCH 1/3] chore(main): release 1.23.0 (#1353) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 17 +++++++++++++++++ appengine/pom.xml | 2 +- bom/pom.xml | 2 +- credentials/pom.xml | 2 +- oauth2_http/pom.xml | 2 +- pom.xml | 2 +- versions.txt | 12 ++++++------ 7 files changed, 28 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b9f67a516..6a69d4aa4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,22 @@ # Changelog +## [1.23.0](https://github.com/googleapis/google-auth-library-java/compare/v1.22.0...v1.23.0) (2024-02-05) + + +### Features + +* Add context object to pass to supplier functions ([#1363](https://github.com/googleapis/google-auth-library-java/issues/1363)) ([1d9efc7](https://github.com/googleapis/google-auth-library-java/commit/1d9efc78aa6ab24fc2aab5f081240a815c394c95)) +* Adds support for user defined subject token suppliers in AWSCredentials and IdentityPoolCredentials ([#1336](https://github.com/googleapis/google-auth-library-java/issues/1336)) ([64ce8a1](https://github.com/googleapis/google-auth-library-java/commit/64ce8a1fbb82cb19e17ca0c6713c7c187078c28b)) +* Adds universe domain for DownscopedCredentials and ExternalAccountAuthorizedUserCredentials ([#1355](https://github.com/googleapis/google-auth-library-java/issues/1355)) ([17ef707](https://github.com/googleapis/google-auth-library-java/commit/17ef70748aae4820f10694ae99c82ed7ca89dbce)) +* Modify the refresh window to match go/async-token-refresh. Serverless tokens are cached until 4 minutes before expiration, so 4 minutes is the ideal refresh window. ([#1352](https://github.com/googleapis/google-auth-library-java/issues/1352)) ([a7a8d7a](https://github.com/googleapis/google-auth-library-java/commit/a7a8d7a4102b0b7c1b83791947ccb662f060eca7)) + + +### Bug Fixes + +* Add missing copyright header ([#1364](https://github.com/googleapis/google-auth-library-java/issues/1364)) ([a24e563](https://github.com/googleapis/google-auth-library-java/commit/a24e5631b8198d988a7b82deab5453e43917b0d2)) +* Issue [#1347](https://github.com/googleapis/google-auth-library-java/issues/1347): ExternalAccountCredentials serialization is broken ([#1358](https://github.com/googleapis/google-auth-library-java/issues/1358)) ([e3a2e9c](https://github.com/googleapis/google-auth-library-java/commit/e3a2e9cbdd767c4664d895f98f69d8b742d645f0)) +* Refactor compute and cloudshell credentials to pass quota project to base class ([#1284](https://github.com/googleapis/google-auth-library-java/issues/1284)) ([fb75239](https://github.com/googleapis/google-auth-library-java/commit/fb75239ead37b6677a392f38ea2ef2012b3f21e0)) + ## [1.22.0](https://github.com/googleapis/google-auth-library-java/compare/v1.21.0...v1.22.0) (2024-01-09) diff --git a/appengine/pom.xml b/appengine/pom.xml index d65ade433..a98af5241 100644 --- a/appengine/pom.xml +++ b/appengine/pom.xml @@ -5,7 +5,7 @@ com.google.auth google-auth-library-parent - 1.22.1-SNAPSHOT + 1.23.0 ../pom.xml diff --git a/bom/pom.xml b/bom/pom.xml index 2c7e5198c..01a093b62 100644 --- a/bom/pom.xml +++ b/bom/pom.xml @@ -3,7 +3,7 @@ 4.0.0 com.google.auth google-auth-library-bom - 1.22.1-SNAPSHOT + 1.23.0 pom Google Auth Library for Java BOM diff --git a/credentials/pom.xml b/credentials/pom.xml index bd5934deb..224af9b72 100644 --- a/credentials/pom.xml +++ b/credentials/pom.xml @@ -4,7 +4,7 @@ com.google.auth google-auth-library-parent - 1.22.1-SNAPSHOT + 1.23.0 ../pom.xml diff --git a/oauth2_http/pom.xml b/oauth2_http/pom.xml index 36da3d3b8..7c3068d1e 100644 --- a/oauth2_http/pom.xml +++ b/oauth2_http/pom.xml @@ -7,7 +7,7 @@ com.google.auth google-auth-library-parent - 1.22.1-SNAPSHOT + 1.23.0 ../pom.xml diff --git a/pom.xml b/pom.xml index 0b44d72fd..a055fb74d 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ 4.0.0 com.google.auth google-auth-library-parent - 1.22.1-SNAPSHOT + 1.23.0 pom Google Auth Library for Java Client libraries providing authentication and diff --git a/versions.txt b/versions.txt index ee3f1a94a..b51d5f59b 100644 --- a/versions.txt +++ b/versions.txt @@ -1,9 +1,9 @@ # Format: # module:released-version:current-version -google-auth-library:1.22.0:1.22.1-SNAPSHOT -google-auth-library-bom:1.22.0:1.22.1-SNAPSHOT -google-auth-library-parent:1.22.0:1.22.1-SNAPSHOT -google-auth-library-appengine:1.22.0:1.22.1-SNAPSHOT -google-auth-library-credentials:1.22.0:1.22.1-SNAPSHOT -google-auth-library-oauth2-http:1.22.0:1.22.1-SNAPSHOT +google-auth-library:1.23.0:1.23.0 +google-auth-library-bom:1.23.0:1.23.0 +google-auth-library-parent:1.23.0:1.23.0 +google-auth-library-appengine:1.23.0:1.23.0 +google-auth-library-credentials:1.23.0:1.23.0 +google-auth-library-oauth2-http:1.23.0:1.23.0 From b97fa2006adb313ebe4e3385c733b6d408c85656 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Wed, 7 Feb 2024 17:56:17 +0000 Subject: [PATCH 2/3] chore(main): release 1.23.1-SNAPSHOT (#1366) :robot: I have created a release *beep* *boop* --- ### Updating meta-information for bleeding-edge SNAPSHOT release. --- This PR was generated with [Release Please](https://togithub.com/googleapis/release-please). See [documentation](https://togithub.com/googleapis/release-please#release-please). --- appengine/pom.xml | 2 +- bom/pom.xml | 2 +- credentials/pom.xml | 2 +- oauth2_http/pom.xml | 2 +- pom.xml | 2 +- versions.txt | 12 ++++++------ 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/appengine/pom.xml b/appengine/pom.xml index a98af5241..85bef4522 100644 --- a/appengine/pom.xml +++ b/appengine/pom.xml @@ -5,7 +5,7 @@ com.google.auth google-auth-library-parent - 1.23.0 + 1.23.1-SNAPSHOT ../pom.xml diff --git a/bom/pom.xml b/bom/pom.xml index 01a093b62..e5a936189 100644 --- a/bom/pom.xml +++ b/bom/pom.xml @@ -3,7 +3,7 @@ 4.0.0 com.google.auth google-auth-library-bom - 1.23.0 + 1.23.1-SNAPSHOT pom Google Auth Library for Java BOM diff --git a/credentials/pom.xml b/credentials/pom.xml index 224af9b72..42bb369b0 100644 --- a/credentials/pom.xml +++ b/credentials/pom.xml @@ -4,7 +4,7 @@ com.google.auth google-auth-library-parent - 1.23.0 + 1.23.1-SNAPSHOT ../pom.xml diff --git a/oauth2_http/pom.xml b/oauth2_http/pom.xml index 7c3068d1e..5b1362ed7 100644 --- a/oauth2_http/pom.xml +++ b/oauth2_http/pom.xml @@ -7,7 +7,7 @@ com.google.auth google-auth-library-parent - 1.23.0 + 1.23.1-SNAPSHOT ../pom.xml diff --git a/pom.xml b/pom.xml index a055fb74d..8d207deef 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ 4.0.0 com.google.auth google-auth-library-parent - 1.23.0 + 1.23.1-SNAPSHOT pom Google Auth Library for Java Client libraries providing authentication and diff --git a/versions.txt b/versions.txt index b51d5f59b..e1a417028 100644 --- a/versions.txt +++ b/versions.txt @@ -1,9 +1,9 @@ # Format: # module:released-version:current-version -google-auth-library:1.23.0:1.23.0 -google-auth-library-bom:1.23.0:1.23.0 -google-auth-library-parent:1.23.0:1.23.0 -google-auth-library-appengine:1.23.0:1.23.0 -google-auth-library-credentials:1.23.0:1.23.0 -google-auth-library-oauth2-http:1.23.0:1.23.0 +google-auth-library:1.23.0:1.23.1-SNAPSHOT +google-auth-library-bom:1.23.0:1.23.1-SNAPSHOT +google-auth-library-parent:1.23.0:1.23.1-SNAPSHOT +google-auth-library-appengine:1.23.0:1.23.1-SNAPSHOT +google-auth-library-credentials:1.23.0:1.23.1-SNAPSHOT +google-auth-library-oauth2-http:1.23.0:1.23.1-SNAPSHOT From bd898c64875a87414f84ca0787ba6c140e05921b Mon Sep 17 00:00:00 2001 From: aeitzman <12433791+aeitzman@users.noreply.github.com> Date: Wed, 7 Feb 2024 10:08:05 -0800 Subject: [PATCH 3/3] docs: adds docs for supplier based external account credentials (#1362) * docs: adds readme for supplier based external account credentials * Update README.md Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> * Update README.md Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> * Update README.md Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> * Update README.md Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> * Update README.md Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> * Update README.md Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> * addressing review * Addressing comments * Apply suggestions from code review Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> * clean up workforce docs * Addressing comments * Apply suggestions from code review Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> * Adding audience documentation for workload --------- Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com> --- README.md | 180 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 180 insertions(+) diff --git a/README.md b/README.md index 4c6a3dff8..149d4aa69 100644 --- a/README.md +++ b/README.md @@ -470,6 +470,128 @@ credentials unless they do not meet your specific requirements. You can now [use the Auth library](#using-external-identities) to call Google Cloud resources from an OIDC or SAML provider. +#### Using a custom supplier with OIDC and SAML +A custom implementation of IdentityPoolSubjectTokenSupplier can be used while building IdentityPoolCredentials +to supply a subject token which can be exchanged for a GCP access token. The supplier must return a valid, +unexpired subject token when called by the GCP credential. + +IdentityPoolCredentials do not cache the returned token, so caching logic should be +implemented in the token supplier to prevent multiple requests for the same subject token. + +```java +import java.io.IOException; + +public class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier { + + @Override + public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException { + // Any call to the supplier will pass a context object with the requested + // audience and subject token type. + string audience = context.getAudience(); + string tokenType = context.getSubjectTokenType(); + + try { + // Return a valid, unexpired token for the requested audience and token type. + // Note that IdentityPoolCredentials do not cache the subject token so + // any caching logic needs to be implemented in the token supplier. + return retrieveToken(audience, tokenType); + } catch (Exception e) { + // If token is unavailable, throw IOException. + throw new IOException(e); + } + } + + private String retrieveToken(string tokenType, string audience) { + // Retrieve a subject token of the requested type for the requested audience. + } +} +``` +```java +CustomTokenSupplier tokenSupplier = new CustomTokenSupplier(); +IdentityPoolCredentials identityPoolCredentials = + IdentityPoolCredentials.newBuilder() + .setSubjectTokenSupplier(tokenSupplier) // Sets the token supplier. + .setAudience(...) // Sets the GCP audience. + .setSubjectTokenType(SubjectTokenTypes.JWT) // Sets the subject token type. + .build(); +``` +Where the [audience](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience) is: +```//iam.googleapis.com/locations/global/workforcePools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID``` + +Where the following variables need to be substituted: +- `$WORKLOAD_POOL_ID`: The workload pool ID. +- `$PROVIDER_ID`: The provider ID. + +The values for audience, service account impersonation URL, and any other builder field can also be found by +generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config). + +#### Using a custom supplier with AWS +A custom implementation of AwsSecurityCredentialsSupplier can be provided when initializing AwsCredentials. If provided, the AwsCredentials instance will defer to the supplier to retrieve AWS security credentials to exchange for a GCP access token. +The supplier must return valid, unexpired AWS security credentials when called by the GCP credential. + +AwsCredentials do not cache the returned AWS security credentials or region, so caching logic should be +implemented in the supplier to prevent multiple requests for the same resources. + +```java +class CustomAwsSupplier implements AwsSecurityCredentialsSupplier { + @Override + AwsSecurityCredentials getAwsSecurityCredentials(ExternalAccountSupplierContext context) throws IOException { + // Any call to the supplier will pass a context object with the requested + // audience. + string audience = context.getAudience(); + + try { + // Return valid, unexpired AWS security credentials for the requested audience. + // Note that AwsCredentials do not cache the AWS security credentials so + // any caching logic needs to be implemented in the credentials' supplier. + return retrieveAwsSecurityCredentials(audience); + } catch (Exception e) { + // If credentials are unavailable, throw IOException. + throw new IOException(e); + } + } + + @Override + String getRegion(ExternalAccountSupplierContext context) throws IOException { + try { + // Return a valid AWS region. i.e. "us-east-2". + // Note that AwsCredentials do not cache the region so + // any caching logic needs to be implemented in the credentials' supplier. + return retrieveAwsRegion(); + } catch (Exception e) { + // If region is unavailable, throw IOException. + throw new IOException(e); + } + } + + private AwsSecurityCredentials retrieveAwsSecurityCredentials(string audience) { + // Retrieve Aws security credentials for the requested audience. + } + + private String retrieveAwsRegion() { + // Retrieve current AWS region. + } +} +``` +```java +CustomAwsSupplier awsSupplier = new CustomAwsSupplier(); +AwsCredentials credentials = AwsCredentials.newBuilder() + .setSubjectTokenType(SubjectTokenTypes.AWS4) // Sets the subject token type. + .setAudience(...) // Sets the GCP audience. + .setAwsSecurityCredentialsSupplier(supplier) // Sets the supplier. + .build(); +``` + +Where the [audience](https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#provider-audience) is: +```//iam.googleapis.com/locations/global/workforcePools/$WORKLOAD_POOL_ID/providers/$PROVIDER_ID``` + +Where the following variables need to be substituted: +- `$WORKLOAD_POOL_ID`: The workload pool ID. +- `$PROVIDER_ID`: The provider ID. + +The values for audience, service account impersonation URL, and any other builder field can also be found by +generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config). + #### Configurable Token Lifetime When creating a credential configuration with workload identity federation using service account impersonation, you can provide an optional argument to configure the service account access token lifetime. @@ -704,6 +826,64 @@ specified below. It must output the response to stdout. Refer to the [using executable-sourced credentials with Workload Identity Federation](#using-executable-sourced-credentials-with-oidc-and-saml) above for the executable response specification. +#### Using a custom supplier with OIDC and SAML +A custom implementation of IdentityPoolSubjectTokenSupplier can be used while building IdentityPoolCredentials +to supply a subject token which can be exchanged for a GCP access token. The supplier must return a valid, +unexpired subject token when called by the GCP credential. + +IdentityPoolCredentials do not cache the returned token, so caching logic should be +implemented in the token supplier to prevent multiple requests for the same subject token. + +```java +import java.io.IOException; + +public class CustomTokenSupplier implements IdentityPoolSubjectTokenSupplier { + + @Override + public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException { + // Any call to supplier will pass a context object with the requested + // audience and subject token type. + string audience = context.getAudience(); + string tokenType = context.getSubjectTokenType(); + + try { + // Return a valid, unexpired token for the requested audience and token type. + // Note that the IdentityPoolCredential does not cache the subject token so + // any caching logic needs to be implemented in the token supplier. + return retrieveToken(audience, tokenType); + } catch (Exception e) { + // If token is unavailable, throw IOException. + throw new IOException(e); + } + } + + private String retrieveToken(string tokenType, string audience) { + // Retrieve a subject token of the requested type for the requested audience. + } +} +``` +```java +CustomTokenSupplier tokenSupplier = new CustomTokenSupplier(); +IdentityPoolCredentials identityPoolCredentials = + IdentityPoolCredentials.newBuilder() + .setSubjectTokenSupplier(tokenSupplier) // Sets the token supplier. + .setAudience(...) // Sets the GCP audience. + .setSubjectTokenType(SubjectTokenTypes.JWT) // Sets the subject token type. + .setWorkforcePoolUserProject(...) // Sets the workforce pool user project. + .build(); +``` +Where the audience is: +```//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID``` + +Where the following variables need to be substituted: +- `$WORKFORCE_POOL_ID`: The workforce pool ID. +- `$PROVIDER_ID`: The provider ID. + +and the workforce pool user project is the project number associated with the [workforce pools user project](https://cloud.google.com/iam/docs/workforce-identity-federation#workforce-pools-user-project). + +The values for audience, service account impersonation URL, and any other builder field can also be found by +generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#use_configuration_files_for_sign-in). + ##### Security considerations The following security practices are highly recommended: * Access to the script should be restricted as it will be displaying credentials to stdout. This ensures that rogue processes do not gain access to the script.