importcom.google.auth.credentialaccessboundary.ClientSideCredentialAccessBoundaryFactory;importcom.google.auth.oauth2.AccessToken;importcom.google.auth.oauth2.CredentialAccessBoundary;importcom.google.auth.oauth2.GoogleCredentials;importdev.cel.common.CelValidationException;importjava.io.IOException;importjava.security.GeneralSecurityException;publicstaticAccessTokengetTokenFromBroker(StringbucketName,StringobjectPrefix)throwsIOException{// Retrieve the source credentials from ADC.GoogleCredentialssourceCredentials=GoogleCredentials.getApplicationDefault().createScoped("https://www.googleapis.com/auth/cloud-platform");// Initialize the Credential Access Boundary rules.StringavailableResource="//storage.googleapis.com/projects/_/buckets/"+bucketName;// Downscoped credentials will have readonly access to the resource.StringavailablePermission="inRole:roles/storage.objectViewer";// Only objects starting with the specified prefix string in the object name will be allowed// read access.Stringexpression="resource.name.startsWith('projects/_/buckets/"+bucketName+"/objects/"+objectPrefix+"')";// Build the AvailabilityCondition.CredentialAccessBoundary.AccessBoundaryRule.AvailabilityConditionavailabilityCondition=CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder().setExpression(expression).build();// Define the single access boundary rule using the above properties.CredentialAccessBoundary.AccessBoundaryRulerule=CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailableResource(availableResource).addAvailablePermission(availablePermission).setAvailabilityCondition(availabilityCondition).build();// Define the Credential Access Boundary with all the relevant rules.CredentialAccessBoundarycredentialAccessBoundary=CredentialAccessBoundary.newBuilder().addRule(rule).build();// Create an instance of ClientSideCredentialAccessBoundaryFactory.ClientSideCredentialAccessBoundaryFactoryfactory=ClientSideCredentialAccessBoundaryFactory.newBuilder().setSourceCredential(sourceCredentials).build();// Generate the token and pass it to the Token Consumer.try{returnfactory.generateToken(credentialAccessBoundary);}catch(GeneralSecurityException|CelValidationExceptione){thrownewIOException("Error generating downscoped token",e);}}

importcom.google.auth.oauth2.AccessToken;importcom.google.auth.oauth2.OAuth2CredentialsWithRefresh;importcom.google.cloud.storage.Blob;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;importjava.io.IOException;publicstaticStringretrieveBlobWithDownscopedToken(finalStringbucketName,finalStringobjectName)throwsIOException{// You can pass an `OAuth2RefreshHandler` to `OAuth2CredentialsWithRefresh` which will allow the// library to seamlessly handle downscoped token refreshes on expiration.OAuth2CredentialsWithRefresh.OAuth2RefreshHandlerhandler=newOAuth2CredentialsWithRefresh.OAuth2RefreshHandler(){@OverridepublicAccessTokenrefreshAccessToken()throwsIOException{// The common pattern of usage is to have a token broker pass the downscoped short-lived// access tokens to a token consumer via some secure authenticated channel.// For illustration purposes, we are generating the downscoped token locally.// We want to test the ability to limit access to objects with a certain prefix string// in the resource bucket. objectName.substring(0, 3) is the prefix here. This field is// not required if access to all bucket resources are allowed. If access to limited// resources in the bucket is needed, this mechanism can be used.returnDownscopedAccessTokenGenerator.getTokenFromBroker(bucketName,objectName);}};AccessTokendownscopedToken=handler.refreshAccessToken();OAuth2CredentialsWithRefreshcredentials=OAuth2CredentialsWithRefresh.newBuilder().setAccessToken(downscopedToken).setRefreshHandler(handler).build();StorageOptionsoptions=StorageOptions.newBuilder().setCredentials(credentials).build();Storagestorage=options.getService();Blobblob=storage.get(bucketName,objectName);if(blob==null){returnnull;}returnnewString(blob.getContent());}

import("context""fmt""golang.org/x/oauth2""golang.org/x/oauth2/google""golang.org/x/oauth2/google/downscope")// createDownscopedToken would be run on the token broker in order to generate// a downscoped access token that only grants access to objects whose name begins with prefix.// The token broker would then pass the newly created token to the requesting token consumer for use.funccreateDownscopedToken(bucketNamestring,prefixstring)error{// bucketName := "foo"// prefix := "profile-picture-"ctx:=context.Background()// A condition can optionally be provided to further restrict access permissions.condition:=downscope.AvailabilityCondition{Expression:"resource.name.startsWith('projects/_/buckets/"+bucketName+"/objects/"+prefix+"')",Title:prefix+" Only",Description:"Restricts a token to only be able to access objects that start with `"+prefix+"`",}// Initializes an accessBoundary with one Rule which restricts the downscoped// token to only be able to access the bucket "bucketName" and only grants it the// permission "storage.objectViewer".accessBoundary:=[]downscope.AccessBoundaryRule{{AvailableResource:"//storage.googleapis.com/projects/_/buckets/"+bucketName,AvailablePermissions:[]string{"inRole:roles/storage.objectViewer"},Condition:&condition,// Optional},}// This Source can be initialized in multiple ways; the following example uses// Application Default Credentials.varrootSourceoauth2.TokenSource// You must provide the "https://www.googleapis.com/auth/cloud-platform" scope.rootSource,err:=google.DefaultTokenSource(ctx,"https://www.googleapis.com/auth/cloud-platform")iferr!=nil{returnfmt.Errorf("failed to generate rootSource: %w",err)}// downscope.NewTokenSource constructs the token source with the configuration provided.dts,err:=downscope.NewTokenSource(ctx,downscope.DownscopingConfig{RootSource:rootSource,Rules:accessBoundary})iferr!=nil{returnfmt.Errorf("failed to generate downscoped token source: %w",err)}// Token() uses the previously declared TokenSource to generate a downscoped token.tok,err:=dts.Token()iferr!=nil{returnfmt.Errorf("failed to generate token: %w",err)}// Pass this token back to the token consumer._=tokreturnnil}

import("context""fmt""io""golang.org/x/oauth2/google""golang.org/x/oauth2/google/downscope""cloud.google.com/go/storage""golang.org/x/oauth2""google.golang.org/api/option")// A token consumer should define their own tokenSource. In the Token() method,// it should send a query to a token broker requesting a downscoped token.// The token broker holds the root credential that is used to generate the// downscoped token.typelocalTokenSourcestruct{ctxcontext.ContextbucketNamestringbrokerURLstring}func(ltslocalTokenSource)Token()(*oauth2.Token,error){varremoteToken*oauth2.Token// Usually you would now retrieve remoteToken, an oauth2.Token, from token broker.// This snippet performs the same functionality locally.accessBoundary:=[]downscope.AccessBoundaryRule{{AvailableResource:"//storage.googleapis.com/projects/_/buckets/"+lts.bucketName,AvailablePermissions:[]string{"inRole:roles/storage.objectViewer"},},}rootSource,err:=google.DefaultTokenSource(lts.ctx,"https://www.googleapis.com/auth/cloud-platform")iferr!=nil{returnnil,fmt.Errorf("failed to generate rootSource: %w",err)}dts,err:=downscope.NewTokenSource(lts.ctx,downscope.DownscopingConfig{RootSource:rootSource,Rules:accessBoundary})iferr!=nil{returnnil,fmt.Errorf("failed to generate downscoped token source: %w",err)}// Token() uses the previously declared TokenSource to generate a downscoped token.remoteToken,err=dts.Token()iferr!=nil{returnnil,fmt.Errorf("failed to generate token: %w",err)}returnremoteToken,nil}// getObjectContents will read the contents of an object in Google Storage// named objectName, contained in the bucket "bucketName".funcgetObjectContents(outputio.Writer,bucketNamestring,objectNamestring)error{// bucketName := "foo"// prefix := "profile-picture-"ctx:=context.Background()thisTokenSource:=localTokenSource{ctx:ctx,bucketName:bucketName,brokerURL:"yourURL.com/internal/broker",}// Wrap the TokenSource in an oauth2.ReuseTokenSource to enable automatic refreshing.refreshableTS:=oauth2.ReuseTokenSource(nil,thisTokenSource)// You can now use the token source to access Google Cloud Storage resources as follows.storageClient,err:=storage.NewClient(ctx,option.WithTokenSource(refreshableTS))iferr!=nil{returnfmt.Errorf("failed to create the storage client: %w",err)}deferstorageClient.Close()bkt:=storageClient.Bucket(bucketName)obj:=bkt.Object(objectName)rc,err:=obj.NewReader(ctx)iferr!=nil{returnfmt.Errorf("failed to retrieve the object: %w",err)}deferrc.Close()data,err:=io.ReadAll(rc)iferr!=nil{returnfmt.Errorf("could not read the object's contents: %w",err)}// Data now contains the contents of the requested object.output.Write(data)returnnil}

publicstaticAccessTokengetTokenFromBroker(StringbucketName,StringobjectPrefix)throwsIOException{// Retrieve the source credentials from ADC.GoogleCredentialssourceCredentials=GoogleCredentials.getApplicationDefault().createScoped("https://www.googleapis.com/auth/cloud-platform");// Initialize the Credential Access Boundary rules.StringavailableResource="//storage.googleapis.com/projects/_/buckets/"+bucketName;// Downscoped credentials will have readonly access to the resource.StringavailablePermission="inRole:roles/storage.objectViewer";// Only objects starting with the specified prefix string in the object name will be allowed// read access.Stringexpression="resource.name.startsWith('projects/_/buckets/"+bucketName+"/objects/"+objectPrefix+"')";// Build the AvailabilityCondition.CredentialAccessBoundary.AccessBoundaryRule.AvailabilityConditionavailabilityCondition=CredentialAccessBoundary.AccessBoundaryRule.AvailabilityCondition.newBuilder().setExpression(expression).build();// Define the single access boundary rule using the above properties.CredentialAccessBoundary.AccessBoundaryRulerule=CredentialAccessBoundary.AccessBoundaryRule.newBuilder().setAvailableResource(availableResource).addAvailablePermission(availablePermission).setAvailabilityCondition(availabilityCondition).build();// Define the Credential Access Boundary with all the relevant rules.CredentialAccessBoundarycredentialAccessBoundary=CredentialAccessBoundary.newBuilder().addRule(rule).build();// Create the downscoped credentials.DownscopedCredentialsdownscopedCredentials=DownscopedCredentials.newBuilder().setSourceCredential(sourceCredentials).setCredentialAccessBoundary(credentialAccessBoundary).build();// Retrieve the token.// This will need to be passed to the Token Consumer.AccessTokenaccessToken=downscopedCredentials.refreshAccessToken();returnaccessToken;}

publicstaticvoidtokenConsumer(finalStringbucketName,finalStringobjectName)throwsIOException{// You can pass an `OAuth2RefreshHandler` to `OAuth2CredentialsWithRefresh` which will allow the// library to seamlessly handle downscoped token refreshes on expiration.OAuth2CredentialsWithRefresh.OAuth2RefreshHandlerhandler=newOAuth2CredentialsWithRefresh.OAuth2RefreshHandler(){@OverridepublicAccessTokenrefreshAccessToken()throwsIOException{// The common pattern of usage is to have a token broker pass the downscoped short-lived// access tokens to a token consumer via some secure authenticated channel.// For illustration purposes, we are generating the downscoped token locally.// We want to test the ability to limit access to objects with a certain prefix string// in the resource bucket. objectName.substring(0, 3) is the prefix here. This field is// not required if access to all bucket resources are allowed. If access to limited// resources in the bucket is needed, this mechanism can be used.returngetTokenFromBroker(bucketName,objectName.substring(0,3));}};// Downscoped token retrieved from token broker.AccessTokendownscopedToken=handler.refreshAccessToken();// Create the OAuth2CredentialsWithRefresh from the downscoped token and pass a refresh handler// which will handle token expiration.// This will allow the consumer to seamlessly obtain new downscoped tokens on demand every time// token expires.OAuth2CredentialsWithRefreshcredentials=OAuth2CredentialsWithRefresh.newBuilder().setAccessToken(downscopedToken).setRefreshHandler(handler).build();// Use the credentials with the Cloud Storage SDK.StorageOptionsoptions=StorageOptions.newBuilder().setCredentials(credentials).build();Storagestorage=options.getService();// Call Cloud Storage APIs.Blobblob=storage.get(bucketName,objectName);Stringcontent=newString(blob.getContent());System.out.println("Retrieved object, "+objectName+", from bucket,"+bucketName+", with content: "+content);}

// Imports the Google Auth libraries.const{GoogleAuth,DownscopedClient}=require('google-auth-library');/** * Simulates token broker generating downscoped tokens for specified bucket. * * @param bucketName The name of the Cloud Storage bucket. * @param objectPrefix The prefix string of the object name. This is used *        to ensure access is restricted to only objects starting with this *        prefix string. */asyncfunctiongetTokenFromBroker(bucketName,objectPrefix){constgoogleAuth=newGoogleAuth({scopes:'https://www.googleapis.com/auth/cloud-platform',});// Define the Credential Access Boundary object.constcab={// Define the access boundary.accessBoundary:{// Define the single access boundary rule.accessBoundaryRules:[{availableResource:`//storage.googleapis.com/projects/_/buckets/${bucketName}`,// Downscoped credentials will have readonly access to the resource.availablePermissions:['inRole:roles/storage.objectViewer'],// Only objects starting with the specified prefix string in the object name// will be allowed read access.availabilityCondition:{expression:"resource.name.startsWith('projects/_/buckets/"+`${bucketName}/objects/${objectPrefix}')`,},},],},};// Obtain an authenticated client via ADC.constclient=awaitgoogleAuth.getClient();// Use the client to create a DownscopedClient.constcabClient=newDownscopedClient(client,cab);// Refresh the tokens.constrefreshedAccessToken=awaitcabClient.getAccessToken();// This will need to be passed to the token consumer.returnrefreshedAccessToken;}

// Imports the Google Auth and Google Cloud libraries.const{OAuth2Client}=require('google-auth-library');const{Storage}=require('@google-cloud/storage');/** * Simulates token consumer generating calling GCS APIs using generated * downscoped tokens for specified bucket. * * @param bucketName The name of the Cloud Storage bucket. * @param objectName The name of the object in the Cloud Storage bucket *        to read. */asyncfunctiontokenConsumer(bucketName,objectName){// Create the OAuth credentials (the consumer).constoauth2Client=newOAuth2Client();// We are defining a refresh handler instead of a one-time access// token/expiry pair.// This will allow the consumer to obtain new downscoped tokens on// demand every time a token is expired, without any additional code// changes.oauth2Client.refreshHandler=async()=>{// The common pattern of usage is to have a token broker pass the// downscoped short-lived access tokens to a token consumer via some// secure authenticated channel. For illustration purposes, we are// generating the downscoped token locally. We want to test the ability// to limit access to objects with a certain prefix string in the// resource bucket. objectName.substring(0, 3) is the prefix here. This// field is not required if access to all bucket resources are allowed.// If access to limited resources in the bucket is needed, this mechanism// can be used.constrefreshedAccessToken=awaitgetTokenFromBroker(bucketName,objectName.substring(0,3));return{access_token:refreshedAccessToken.token,expiry_date:refreshedAccessToken.expirationTime,};};conststorageOptions={projectId:process.env.GOOGLE_CLOUD_PROJECT,authClient:oauth2Client,};conststorage=newStorage(storageOptions);constdownloadFile=awaitstorage.bucket(bucketName).file(objectName).download();console.log(downloadFile.toString('utf8'));}

importgoogle.authfromgoogle.authimportdownscopedfromgoogle.auth.transportimportrequestsdefget_token_from_broker(bucket_name,object_prefix):"""Simulates token broker generating downscoped tokens for specified bucket.    Args:        bucket_name (str): The name of the Cloud Storage bucket.        object_prefix (str): The prefix string of the object name. This is used            to ensure access is restricted to only objects starting with this            prefix string.    Returns:        Tuple[str, datetime.datetime]: The downscoped access token and its expiry date.    """# Initialize the Credential Access Boundary rules.available_resource=f"//storage.googleapis.com/projects/_/buckets/{bucket_name}"# Downscoped credentials will have readonly access to the resource.available_permissions=["inRole:roles/storage.objectViewer"]# Only objects starting with the specified prefix string in the object name# will be allowed read access.availability_expression=("resource.name.startsWith('projects/_/buckets/{}/objects/{}')".format(bucket_name,object_prefix))availability_condition=downscoped.AvailabilityCondition(availability_expression)# Define the single access boundary rule using the above properties.rule=downscoped.AccessBoundaryRule(available_resource=available_resource,available_permissions=available_permissions,availability_condition=availability_condition,)# Define the Credential Access Boundary with all the relevant rules.credential_access_boundary=downscoped.CredentialAccessBoundary(rules=[rule])# Retrieve the source credentials via ADC.source_credentials,_=google.auth.default()ifsource_credentials.requires_scopes:source_credentials=source_credentials.with_scopes(["https://www.googleapis.com/auth/cloud-platform"])# Create the downscoped credentials.downscoped_credentials=downscoped.Credentials(source_credentials=source_credentials,credential_access_boundary=credential_access_boundary,)# Refresh the tokens.downscoped_credentials.refresh(requests.Request())# These values will need to be passed to the token consumer.access_token=downscoped_credentials.tokenexpiry=downscoped_credentials.expiryreturn(access_token,expiry)

fromgoogle.cloudimportstoragefromgoogle.oauth2importcredentialsdeftoken_consumer(bucket_name,object_name):"""Tests token consumer readonly access to the specified object.    Args:        bucket_name (str): The name of the Cloud Storage bucket.        object_name (str): The name of the object in the Cloud Storage bucket            to read.    """# Create the OAuth credentials from the downscoped token and pass a# refresh handler to handle token expiration. We are passing a# refresh_handler instead of a one-time access token/expiry pair.# This will allow the consumer to obtain new downscoped tokens on# demand every time a token is expired, without any additional code# changes.defrefresh_handler(request,scopes=None):# The common pattern of usage is to have a token broker pass the# downscoped short-lived access tokens to a token consumer via some# secure authenticated channel.# For illustration purposes, we are generating the downscoped token# locally.# We want to test the ability to limit access to objects with a certain# prefix string in the resource bucket. object_name[0:3] is the prefix# here. This field is not required if access to all bucket resources are# allowed. If access to limited resources in the bucket is needed, this# mechanism can be used.returnget_token_from_broker(bucket_name,object_prefix=object_name[0:3])creds=credentials.Credentials(None,scopes=["https://www.googleapis.com/auth/cloud-platform"],refresh_handler=refresh_handler,)# Initialize a Cloud Storage client with the oauth2 credentials.storage_client=storage.Client(credentials=creds)# The token broker has readonly access to the specified bucket object.bucket=storage_client.bucket(bucket_name)blob=bucket.blob(object_name)print(blob.download_as_bytes().decode("utf-8"))