Changed the custom credential scripts to use the secrets.json file to read properties.

Author: vverman

auth/.gitignore

@@ -0,0 +1,3 @@
+# Ignore GCP and IdP secret files
+src/main/java/com/google/cloud/auth/samples/customcredentials/aws/custom-credentials-aws-secrets.json
+src/main/java/com/google/cloud/auth/samples/customcredentials/okta/custom-credentials-okta-secrets.json

auth/README.md

@@ -67,51 +67,6 @@ You can then run `DownscopingExample` via:
 
 	mvn exec:java -Dexec.mainClass=com.google.cloud.auth.samples.DownscopingExample
 
-## Custom Credential Suppliers
-
-If you want to use external credentials (like AWS or Okta) that require custom retrieval logic not supported natively by the library, you can provide a custom supplier implementation.
-
-### Authenticate with Okta (Custom Supplier)
-
-This sample demonstrates how to use a custom `IdentityPoolSubjectTokenSupplier` to fetch an OIDC token from Okta using the Client Credentials flow and exchange it for Google Cloud credentials.
-
-1.  **Set required environment variables:**
-    ```bash
-    export OKTA_DOMAIN="https://your-domain.okta.com"
-    export OKTA_CLIENT_ID="your-client-id"
-    export OKTA_CLIENT_SECRET="your-client-secret"
-    export GCP_WORKLOAD_AUDIENCE="//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/my-pool/providers/my-provider"
-    export GCS_BUCKET_NAME="your-bucket-name"
-    # Optional:
-    # export GCP_SERVICE_ACCOUNT_IMPERSONATION_URL="..."
-    ```
-
-2.  **Run the sample:**
-    ```bash
-    mvn exec:java -Dexec.mainClass=com.google.cloud.auth.samples.CustomCredentialSupplierOktaWorkload
-    ```
-
-### Authenticate with AWS (Custom Supplier)
-
-This sample demonstrates how to use the **AWS SDK for Java (v2)** as a custom `AwsSecurityCredentialsSupplier` to bridge AWS credentials (from environment, `~/.aws/credentials`, or EKS/ECS metadata) to Google Cloud Workload Identity.
-
-1.  **Set required environment variables:**
-    ```bash
-    # Google Cloud Config
-    export GCP_WORKLOAD_AUDIENCE="//iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/my-pool/providers/my-aws-provider"
-    export GCS_BUCKET_NAME="your-bucket-name"
-    
-    # AWS Credentials (or use ~/.aws/credentials)
-    export AWS_ACCESS_KEY_ID="your-aws-key"
-    export AWS_SECRET_ACCESS_KEY="your-aws-secret"
-    export AWS_REGION="us-east-1"
-    ```
-
-2.  **Run the sample:**
-    ```bash
-    mvn exec:java -Dexec.mainClass=com.google.cloud.auth.samples.CustomCredentialSupplierAwsWorkload
-    ```
-
 ## Tests
 Run all tests:
 ```

…CustomCredentialSupplierAwsWorkload.java …CustomCredentialSupplierAwsWorkload.javaauth/src/main/java/com/google/cloud/auth/samples/CustomCredentialSupplierAwsWorkload.java renamed to auth/src/main/java/com/google/cloud/auth/samples/customcredentials/aws/CustomCredentialSupplierAwsWorkload.java auth/src/main/java/com/google/cloud/auth/samples/CustomCredentialSupplierAwsWorkload.java renamed to auth/src/main/java/com/google/cloud/auth/samples/customcredentials/aws/CustomCredentialSupplierAwsWorkload.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package com.google.cloud.auth.samples;
+package com.google.cloud.auth.samples.customcredentials.aws;
 
 // [START auth_custom_credential_supplier_aws]
 import com.google.auth.oauth2.AwsCredentials;
@@ -25,7 +25,14 @@
 import com.google.cloud.storage.Bucket;
 import com.google.cloud.storage.Storage;
 import com.google.cloud.storage.StorageOptions;
+import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
 import java.io.IOException;
+import java.io.Reader;
+import java.lang.reflect.Type;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.Map;
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
 import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
@@ -41,30 +48,106 @@
 public class CustomCredentialSupplierAwsWorkload {
 
   public static void main(String[] args) throws IOException {
+
+    // Reads the custom-credentials-aws-secrets.json if running locally.
+    loadConfigFromFile();
+
     // The audience for the workload identity federation.
     // Format: //iam.googleapis.com/projects/<project-number>/locations/global/
     //         workloadIdentityPools/<pool-id>/providers/<provider-id>
-    String gcpWorkloadAudience = System.getenv("GCP_WORKLOAD_AUDIENCE");
+    String gcpWorkloadAudience = getConfiguration("GCP_WORKLOAD_AUDIENCE");
 
     // The bucket to fetch data from.
-    String gcsBucketName = System.getenv("GCS_BUCKET_NAME");
+    String gcsBucketName = getConfiguration("GCS_BUCKET_NAME");
 
     // (Optional) The service account impersonation URL.
-    String saImpersonationUrl = System.getenv("GCP_SERVICE_ACCOUNT_IMPERSONATION_URL");
+    String saImpersonationUrl = getConfiguration("GCP_SERVICE_ACCOUNT_IMPERSONATION_URL");
 
     if (gcpWorkloadAudience == null || gcsBucketName == null) {
       System.err.println(
-          "Error: GCP_WORKLOAD_AUDIENCE and GCS_BUCKET_NAME environment variables are required.");
+          "Required configuration missing. Please provide it in a "
+              + "custom-credentials-aws-secrets.json file or as environment variables: "
+              + "GCP_WORKLOAD_AUDIENCE, GCS_BUCKET_NAME");
+      return;
+    }
+
+    try {
+      System.out.println("Retrieving metadata for bucket: " + gcsBucketName + "...");
+      Bucket bucket =
+          authenticateWithAwsCredentials(gcpWorkloadAudience, saImpersonationUrl, gcsBucketName);
+
+      System.out.println(" --- SUCCESS! ---");
+      System.out.println("Bucket details:");
+      System.out.printf("  Name: %s%n", bucket.getName());
+      System.out.printf("  Location: %s%n", bucket.getLocation());
+      System.out.printf("  Storage Class: %s%n", bucket.getStorageClass());
+      System.out.printf("  Metageneration: %s%n", bucket.getMetageneration());
+    } catch (Exception e) {
+      System.err.println("Authentication or Request failed: " + e.getMessage());
+    }
+  }
+
+  /**
+   * Helper method to retrieve configuration. It checks Environment variables first, then System
+   * properties (populated by loadConfigFromFile).
+   */
+  static String getConfiguration(String key) {
+    String value = System.getenv(key);
+    if (value == null) {
+      value = System.getProperty(key);
+    }
+    return value;
+  }
+
+  /**
+   * If a local secrets file is present, load it into the System Properties. This is a
+   * "just-in-time" configuration for local development. These variables are only set for the
+   * current process.
+   */
+  static void loadConfigFromFile() {
+    String secretsFile = "custom-credentials-aws-secrets.json";
+    if (!Files.exists(Paths.get(secretsFile))) {
       return;
     }
 
-    System.out.println("Getting metadata for bucket: " + gcsBucketName + "...");
-    Bucket bucket =
-        authenticateWithAwsCredentials(gcpWorkloadAudience, saImpersonationUrl, gcsBucketName);
+    try (Reader reader = Files.newBufferedReader(Paths.get(secretsFile))) {
+      // Use Gson to parse the JSON file into a Map
+      Gson gson = new Gson();
+      Type type = new TypeToken<Map<String, String>>() {}.getType();
+      Map<String, String> secrets = gson.fromJson(reader, type);
+
+      if (secrets == null) {
+        return;
+      }
 
-    System.out.println(" --- SUCCESS! ---");
-    System.out.printf("Bucket Name: %s%n", bucket.getName());
-    System.out.printf("Bucket Location: %s%n", bucket.getLocation());
+      // AWS SDK for Java looks for System Properties with specific names (camelCase)
+      // if environment variables are missing.
+      if (secrets.containsKey("aws_access_key_id")) {
+        System.setProperty("aws.accessKeyId", secrets.get("aws_access_key_id"));
+      }
+      if (secrets.containsKey("aws_secret_access_key")) {
+        System.setProperty("aws.secretAccessKey", secrets.get("aws_secret_access_key"));
+      }
+      if (secrets.containsKey("aws_region")) {
+        System.setProperty("aws.region", secrets.get("aws_region"));
+      }
+
+      // Set custom GCP variables as System Properties so getConfiguration() can find them.
+      if (secrets.containsKey("gcp_workload_audience")) {
+        System.setProperty("GCP_WORKLOAD_AUDIENCE", secrets.get("gcp_workload_audience"));
+      }
+      if (secrets.containsKey("gcs_bucket_name")) {
+        System.setProperty("GCS_BUCKET_NAME", secrets.get("gcs_bucket_name"));
+      }
+      if (secrets.containsKey("gcp_service_account_impersonation_url")) {
+        System.setProperty(
+            "GCP_SERVICE_ACCOUNT_IMPERSONATION_URL",
+            secrets.get("gcp_service_account_impersonation_url"));
+      }
+
+    } catch (IOException e) {
+      System.err.println("Error reading secrets file: " + e.getMessage());
+    }
   }
 
   /**
@@ -117,7 +200,7 @@ private static class CustomAwsSupplier implements AwsSecurityCredentialsSupplier
     private String region;
 
     public CustomAwsSupplier() {
-      // The AWS SDK handles memoization and refreshing internally.
+      // The AWS SDK handles caching internally.
       this.awsCredentialsProvider = DefaultCredentialsProvider.create();
     }
 

auth/src/main/java/com/google/cloud/auth/samples/customcredentials/aws/Dockerfile

@@ -0,0 +1,35 @@
+# Build the application
+FROM maven:3.9-eclipse-temurin-17 AS builder
+
+WORKDIR /app
+
+# Copy only the build config first (for better layer caching)
+COPY pom.xml .
+COPY src ./src
+
+# 'clean package': Compiles the code and creates the thin jar in /app/target
+# 'dependency:copy-dependencies': Copies all JARs to /app/target/libs
+# We explicitly set -DoutputDirectory so we know EXACTLY where they are.
+RUN mvn clean package dependency:copy-dependencies \
+    -DoutputDirectory=target/libs \
+    -DskipTests
+
+# Run the application
+FROM eclipse-temurin:17-jre-focal
+
+# Security: Create a non-root user
+RUN useradd -m appuser
+USER appuser
+WORKDIR /app
+
+# Copy the Thin Jar (Your application code)
+# Ensure the name 'auth-1.0.jar' matches your pom.xml artifactId/version
+COPY --from=builder --chown=appuser:appuser /app/target/auth-1.0.jar app.jar
+
+# Copy the Dependencies (The libraries)
+COPY --from=builder --chown=appuser:appuser /app/target/libs lib/
+
+# Run with Classpath
+# We add 'app.jar' and everything in 'lib/' to the classpath.
+# We explicitly specify the Main Class here, so your shared pom.xml doesn't need to change.
+CMD ["java", "-cp", "app.jar:lib/*", "com.google.cloud.auth.samples.customcredentials.aws.CustomCredentialSupplierAwsWorkload"]

auth/src/main/java/com/google/cloud/auth/samples/customcredentials/aws/README.md

@@ -0,0 +1,124 @@
+# Running the Custom AWS Credential Supplier Sample (Java)
+
+This sample demonstrates how to use a custom AWS security credential supplier to authenticate with Google Cloud using AWS as an external identity provider. It uses the **AWS SDK for Java (v2)** to fetch credentials from sources like Amazon Elastic Kubernetes Service (EKS) with IAM Roles for Service Accounts (IRSA), Elastic Container Service (ECS), or Fargate.
+
+## Prerequisites
+
+*   An AWS account.
+*   A Google Cloud project with the IAM API enabled.
+*   A GCS bucket.
+*   **Java 11** or later installed.
+*   **Maven** installed.
+
+If you want to use AWS security credentials that cannot be retrieved using methods supported natively by the Google Auth library, a custom `AwsSecurityCredentialsSupplier` implementation may be specified. The supplier must return valid, unexpired AWS security credentials when called by the Google Cloud Auth library.
+
+## Running Locally
+
+For local development, you can provide credentials and configuration in a JSON file.
+
+### Build the Project
+
+Ensure you have Java and Maven installed, then build the project to download dependencies and create an executable JAR:
+
+```bash
+mvn clean package
+```
+
+### Configure Credentials for Local Development
+
+1.  Copy the example secrets file to a new file named `custom-credentials-aws-secrets.json` in the project root:
+    ```bash
+    cp custom-credentials-aws-secrets.json.example custom-credentials-aws-secrets.json
+    ```
+2.  Open `custom-credentials-aws-secrets.json` and fill in the required values for your AWS and Google Cloud configuration. Do not check your `custom-credentials-aws-secrets.json` file into version control.
+
+**Note:** This file is only used for local development and is not needed when running in a containerized environment like EKS with IRSA.
+
+### Run the Application
+
+Execute the JAR file generated in the `target` directory:
+
+```bash
+java -jar target/custom-credential-aws-1.0-SNAPSHOT.jar
+```
+
+*Note: Adjust the JAR filename version if you modified it in your `pom.xml`.*
+
+When run locally, the application will detect the `custom-credentials-aws-secrets.json` file and use it to configure the necessary system properties for the AWS SDK.
+
+## Running in a Containerized Environment (EKS)
+
+This section provides a brief overview of how to run the sample in an Amazon EKS cluster.
+
+### EKS Cluster Setup
+
+First, you need an EKS cluster. You can create one using `eksctl` or the AWS Management Console. For detailed instructions, refer to the [Amazon EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html).
+
+### Configure IAM Roles for Service Accounts (IRSA)
+
+IRSA enables you to associate an IAM role with a Kubernetes service account. This provides a secure way for your pods to access AWS services without hardcoding long-lived credentials.
+
+Run the following command to create the IAM role and bind it to a Kubernetes Service Account:
+
+```bash
+eksctl create iamserviceaccount \
+  --name your-k8s-service-account \
+  --namespace default \
+  --cluster your-cluster-name \
+  --region your-aws-region \
+  --role-name your-role-name \
+  --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
+  --approve
+```
+
+> **Note**: The `--attach-policy-arn` flag is used here to demonstrate attaching permissions. Update this with the specific AWS policy ARN your application requires.
+
+For a deep dive into how this works without using `eksctl`, refer to the [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) documentation.
+
+### Configure Google Cloud to Trust the AWS Role
+
+To allow your AWS role to authenticate as a Google Cloud service account, you need to configure Workload Identity Federation. This process involves these key steps:
+
+1.  **Create a Workload Identity Pool and an AWS Provider:** The pool holds the configuration, and the provider is set up to trust your AWS account.
+
+2.  **Create or select a Google Cloud Service Account:** This service account will be impersonated by your AWS role.
+
+3.  **Bind the AWS Role to the Google Cloud Service Account:** Create an IAM policy binding that gives your AWS role the `Workload Identity User` (`roles/iam.workloadIdentityUser`) role on the Google Cloud service account.
+
+For more detailed information, see the documentation on [Configuring Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds).
+
+### Containerize and Package the Application
+
+Create a `Dockerfile` for the Java application and push the image to a container registry (for example Amazon ECR) that your EKS cluster can access.
+
+**Note:** The provided [`Dockerfile`](Dockerfile) uses a multi-stage build to compile the Java code. It is an example that may need modification for your specific needs.
+
+Build and push the image:
+```bash
+docker build -t your-container-image:latest .
+docker push your-container-image:latest
+```
+
+### Deploy to EKS
+
+Create a Kubernetes deployment manifest to deploy your application to the EKS cluster. See the [`pod.yaml`](pod.yaml) file for an example.
+
+**Note:** The provided [`pod.yaml`](pod.yaml) is an example and may need to be modified for your specific needs.
+
+Deploy the pod:
+
+```bash
+kubectl apply -f pod.yaml
+```
+
+### Clean Up
+
+To clean up the resources, delete the EKS cluster and any other AWS and Google Cloud resources you created.
+
+```bash
+eksctl delete cluster --name your-cluster-name
+```
+
+## Testing
+
+This sample is not continuously tested. It is provided for instructional purposes and may require modifications to work in your environment.

auth/src/main/java/com/google/cloud/auth/samples/customcredentials/aws/custom-credentials-aws-secrets.json.example

@@ -0,0 +1,8 @@
+{
+  "aws_access_key_id": "YOUR_AWS_ACCESS_KEY_ID",
+  "aws_secret_access_key": "YOUR_AWS_SECRET_ACCESS_KEY",
+  "aws_region": "YOUR_AWS_REGION",
+  "gcp_workload_audience": "YOUR_GCP_WORKLOAD_AUDIENCE",
+  "gcs_bucket_name": "YOUR_GCS_BUCKET_NAME",
+  "gcp_service_account_impersonation_url": "YOUR_GCP_SERVICE_ACCOUNT_IMPERSONATION_URL"
+}