feat: Custom Credential Supplier Documentation

[vverman]

Description

Adding documentation for Custom Credential Suppliers.

Custom Credential Suppliers enable developers to securely integrate third-party authentication directly into the Google Cloud SDKs. Custom Credential Suppliers are primarily used to handle authentication in non-standard cloud environments.

The design and scopes for this are documented under this design doc

Checklist

• I have followed Sample Format Guide
• pom.xml parent set to latest shared-configuration
• Appropriate changes to README are included in PR
• These samples need a new API enabled in testing projects to pass (let us know which ones)
• These samples need a new/updated env vars in testing projects set to pass (let us know which ones)
• Tests pass: mvn clean verify required
• Lint passes: mvn -P lint checkstyle:check required
• Static Analysis: mvn -P lint clean compile pmd:cpd-check spotbugs:check advisory only
• This sample adds a new sample directory, and I updated the CODEOWNERS file with the codeowners for this sample
• This sample adds a new Product API, and I updated the Blunderbuss issue/PR auto-assigner with the codeowners for this sample
• Please merge this PR for me once it is approved

These tests will safely skip if the env variables aren't provided.

For the aws custom credential supplier, we need: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, GCP_WORKLOAD_AUDIENCE, GCS_BUCKET_NAME. Please refer to the ‎auth/README.md under custom credential suppliers for AWS.

For the okta custom credential supplier, we need: OKTA_DOMAIN, OKTA_CLIENT_ID, OKTA_CLIENT_SECRET, GCP_WORKLOAD_AUDIENCE, GCS_BUCKET_NAME. Please refer to the auth/README.md under custom credential suppliers for Okta.

[snippet-bot]

Here is the summary of changes.

You are about to add 4 region tags.

• auth/src/main/java/com/google/cloud/auth/samples/CustomCredentialSupplierAwsWorkload.java:19, tag auth_custom_credential_supplier_aws
• auth/src/main/java/com/google/cloud/auth/samples/CustomCredentialSupplierAwsWorkload.java:79, tag auth_custom_credential_supplier_aws
• auth/src/main/java/com/google/cloud/auth/samples/CustomCredentialSupplierOktaWorkload.java:19, tag auth_custom_credential_supplier_okta
• auth/src/main/java/com/google/cloud/auth/samples/CustomCredentialSupplierOktaWorkload.java:103, tag auth_custom_credential_supplier_okta

---

This comment is generated by snippet-bot.
If you find problems with this result, please file an issue at:
https://github.com/googleapis/repo-automation-bots/issues.
To update this comment, add snippet-bot:force-run label or use the checkbox below:

• Refresh this comment

[gemini-code-assist]

Summary of Changes

Hello @vverman, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the authentication capabilities of the Google Cloud SDKs by introducing documentation and functional code samples for Custom Credential Suppliers. This feature allows developers to seamlessly integrate third-party identity providers, such as Okta and AWS, with Google Cloud Workload Identity Federation, which is crucial for hybrid or multi-cloud environments where standard authentication methods may not apply. The changes provide clear guidance and practical examples for setting up and utilizing these custom authentication flows.

Highlights

• New Documentation for Custom Credential Suppliers: Added a new section to auth/README.md detailing how to use custom credential suppliers for external authentication with Google Cloud SDKs, specifically for Okta and AWS.
• Okta Custom Credential Supplier Sample: Introduced CustomCredentialSupplierOktaWorkload.java and its corresponding test, demonstrating how to use a custom IdentityPoolSubjectTokenSupplier to fetch an OIDC token from Okta and exchange it for Google Cloud credentials.
• AWS Custom Credential Supplier Sample: Added CustomCredentialSupplierAwsWorkload.java and its test, showcasing how to use the AWS SDK for Java (v2) as a custom AwsSecurityCredentialsSupplier to bridge AWS credentials to Google Cloud Workload Identity.
• Dependency Updates: The auth/pom.xml was updated to a newer shared-configuration parent version (1.2.2) and now includes necessary AWS SDK (v2) dependencies (bom, auth, regions) to support the new AWS integration.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces valuable documentation and sample code for using custom credential suppliers with AWS and Okta, which is a great addition for developers in multi-cloud or hybrid environments. The code is well-structured and the documentation is clear. I've provided a few suggestions to enhance thread-safety in the custom supplier implementations and to replace a deprecated method with a modern, safer alternative. Overall, this is an excellent contribution.

[gemini-code-assist]

The getRegion method performs lazy initialization of the region field, but it's not thread-safe. If multiple threads call this method concurrently when region is null, they could all attempt to resolve the region, which is inefficient. Since GoogleCredentials objects can be shared across threads, their components should be thread-safe.

To ensure thread safety, you can add the synchronized keyword to the method signature.

Suggested change

	public String getRegion(ExternalAccountSupplierContext context) {
	if (this.region == null) {
	Region awsRegion = new DefaultAwsRegionProviderChain().getRegion();
	if (awsRegion == null) {
	throw new IllegalStateException(
	"Unable to resolve AWS region. Ensure AWS_REGION is set or configured.");
	}
	this.region = awsRegion.id();
	}
	return this.region;
	}
	@Override
	public synchronized String getRegion(ExternalAccountSupplierContext context) {
	if (this.region == null) {
	Region awsRegion = new DefaultAwsRegionProviderChain().getRegion();
	if (awsRegion == null) {
	throw new IllegalStateException(
	"Unable to resolve AWS region. Ensure AWS_REGION is set or configured.");
	}
	this.region = awsRegion.id();
	}
	return this.region;
	}

[gemini-code-assist]

The getSubjectToken method caches and refreshes the Okta access token, but it's not thread-safe. If multiple threads call this method concurrently when the token is expired, they will all attempt to fetch a new token by calling fetchOktaAccessToken(). This creates a race condition where multiple tokens could be fetched unnecessarily.

Since GoogleCredentials objects are often shared across threads, their underlying suppliers should be thread-safe. You can easily fix this by making the method synchronized.

Suggested change

	public String getSubjectToken(ExternalAccountSupplierContext context) throws IOException {
	// Check if the current token is still valid (with a 60-second buffer).
	boolean isTokenValid =
	this.accessToken != null
	&& this.expiryTime != null
	&& Instant.now().isBefore(this.expiryTime.minusSeconds(TOKEN_REFRESH_BUFFER_SECONDS));
	if (isTokenValid) {
	return this.accessToken;
	}
	fetchOktaAccessToken();
	return this.accessToken;
	}
	@Override
	public synchronized String getSubjectToken(ExternalAccountSupplierContext context) throws IOException {
	// Check if the current token is still valid (with a 60-second buffer).
	boolean isTokenValid =
	this.accessToken != null
	&& this.expiryTime != null
	&& Instant.now().isBefore(this.expiryTime.minusSeconds(TOKEN_REFRESH_BUFFER_SECONDS));
	if (isTokenValid) {
	return this.accessToken;
	}
	fetchOktaAccessToken();
	return this.accessToken;
	}

[gemini-code-assist]

The method DataOutputStream.writeBytes() is deprecated and should be avoided. It does not properly convert characters to bytes and can lead to character encoding issues, especially with non-ASCII characters.

While it might work for the current params string, it's better to use a modern approach that explicitly handles character encoding. You can get the byte array from the string using a specific charset (like StandardCharsets.UTF_8) and write it to a raw OutputStream.

Suggested change

	try (DataOutputStream out = new DataOutputStream(conn.getOutputStream())) {
	// Scopes define the permissions the access token will have.
	// Update "gcp.test.read" to match your Okta configuration.
	String params = "grant_type=client_credentials&scope=gcp.test.read";
	out.writeBytes(params);
	out.flush();
	}
	try (java.io.OutputStream out = conn.getOutputStream()) {
	// Scopes define the permissions the access token will have.
	// Update "gcp.test.read" to match your Okta configuration.
	String params = "grant_type=client_credentials&scope=gcp.test.read";
	out.write(params.getBytes(StandardCharsets.UTF_8));
	out.flush();
	}