Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: downscoping with credential access boundaries #702

merged 6 commits into from Aug 3, 2021


Copy link

@lsirac lsirac commented Jul 27, 2021

See go/cab-client. This feature is publicly documented here.


  • Adds a new DownscopedCredentials class that enables the ability to downscope, or restrict, the IAM permissions that a short-lived credential can use for Cloud Storage. This is done by defining a CredentialAccessBoundary which specifies the upper bound of permissions the downscoped credential will be able to access.
  • OAuth2CredentialsWithRefresh enables access token refresh via a developer defined refresh handler.
  • With CAB, STS may not always return an expires_in. The STS utility has been updated to reflect this. When not returned, the expires_in is copied from the source credential, when available.
  • Includes integration tests with a one time use setup script (already ran).
  • Samples/documentation will be provided in a separate PR.

lsirac and others added 4 commits Jul 26, 2021
* feat: adds CAB rules classes

* fix: copyright

* fix: revert pom

* fix: review

* fix: bad link

* fix: more null and empty checks

* fix: expand javadoc

* fix: split null/empty checks

* fix: use checkNotNull
* feat: downscoping with credential access boundaries

* fix: rename RefreshableOAuth2Credentials to OAuth2CredentialsWithRefresh

* fix: review nits
@lsirac lsirac requested a review from as a code owner Jul 27, 2021
@google-cla google-cla bot added the cla: yes label Jul 27, 2021
@lsirac lsirac requested a review from TimurSadykov Jul 27, 2021
@lsirac lsirac requested a review from elharo Jul 27, 2021
@lsirac lsirac requested a review from elharo Jul 28, 2021
Copy link

@TimurSadykov TimurSadykov left a comment


@lsirac lsirac requested a review from Neenu1995 Aug 3, 2021
@lsirac lsirac merged commit aa7ede1 into googleapis:master Aug 3, 2021
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
cla: yes
None yet

Successfully merging this pull request may close these issues.

None yet

4 participants