Spring Framework on Google Cloud Core

Each Spring Framework on Google Cloud module uses GcpProjectIdProvider and CredentialsProvider to get the Google Cloud project ID and access credentials.

Spring Framework on Google Cloud provides a Spring Boot starter to auto-configure the core components.

Maven coordinates, using Spring Framework on Google Cloud BOM:

<dependency>
    <groupId>com.google.cloud</groupId>
    <artifactId>spring-cloud-gcp-starter</artifactId>
</dependency>

Gradle coordinates:

dependencies {
    implementation("com.google.cloud:spring-cloud-gcp-starter")
}

Configuration

The following options may be configured with Spring Cloud core.

Name

Description

Required

Default value

spring.cloud.gcp.core.enabled

Enables or disables Google Cloud core auto configuration

No

true

Project ID

GcpProjectIdProvider is a functional interface that returns a Google Cloud project ID string.

public interface GcpProjectIdProvider {
	String getProjectId();
}

The Spring Framework on Google Cloud starter auto-configures a GcpProjectIdProvider. If a spring.cloud.gcp.project-id property is specified, the provided GcpProjectIdProvider returns that property value.

spring.cloud.gcp.project-id=my-gcp-project-id

Otherwise, the project ID is discovered based on an ordered list of rules:

  1. The project ID specified by the GOOGLE_CLOUD_PROJECT environment variable

  2. The Google App Engine project ID

  3. The project ID specified in the JSON credentials file pointed by the GOOGLE_APPLICATION_CREDENTIALS environment variable

  4. The Google Cloud SDK project ID

  5. The Google Compute Engine project ID, from the Google Compute Engine Metadata Server

Credentials

CredentialsProvider is a functional interface that returns the credentials to authenticate and authorize calls to Google Cloud Client Libraries.

public interface CredentialsProvider {
  Credentials getCredentials() throws IOException;
}

The Spring Framework on Google Cloud starter auto-configures a CredentialsProvider. This defaults to use Application Default Credentials (ADC) to authenticate the application, which tries to discover credentials from a number of places. Refer to this guide to set up Application Default Credentials.

If you cannot use ADC to authenticate, spring.cloud.gcp.credentials.location and spring.cloud.gcp.credentials.encoded-key properties are provided to use with a service account key.

Service account keys can become a security risk if not managed carefully. You should choose a more secure alternative for authentication whenever possible. Refer to this guide to learn more.

You can use the spring.cloud.gcp.credentials.location property to locate the OAuth2 private key of a Google service account. Keep in mind this property is a Spring Resource, so the credentials file can be obtained from a number of different locations such as the file system, classpath, URL, etc. The next example specifies the credentials location property in the file system.

spring.cloud.gcp.credentials.location=file:/usr/local/key.json

Alternatively, you can set the credentials by directly specifying the spring.cloud.gcp.credentials.encoded-key property. The value should be the base64-encoded account private key in JSON format.

If your app is running on Google App Engine or Google Compute Engine, in most cases, you should omit the spring.cloud.gcp.credentials.location property and, instead, let the Spring Framework on Google Cloud Starter get the correct credentials for those environments. On App Engine Standard, the App Identity service account credentials are used, on App Engine Flexible, the Flexible service account credential are used and on Google Compute Engine, the Compute Engine Default Service Account is used.

Scopes

By default, the credentials provided by the Spring Framework on Google Cloud Starter contain scopes for every service supported by Spring Framework on Google Cloud.

Service

Scope

Spanner

https://www.googleapis.com/auth/spanner.admin, https://www.googleapis.com/auth/spanner.data

Datastore

https://www.googleapis.com/auth/datastore

Pub/Sub

https://www.googleapis.com/auth/pubsub

Storage (Read Only)

https://www.googleapis.com/auth/devstorage.read_only

Storage (Read/Write)

https://www.googleapis.com/auth/devstorage.read_write

Runtime Config

https://www.googleapis.com/auth/cloudruntimeconfig

Trace (Append)

https://www.googleapis.com/auth/trace.append

Cloud Platform

https://www.googleapis.com/auth/cloud-platform

Vision

https://www.googleapis.com/auth/cloud-vision

The Spring Framework on Google Cloud starter allows you to configure a custom scope list for the provided credentials. To do that, specify a comma-delimited list of Google OAuth2 scopes in the spring.cloud.gcp.credentials.scopes property.

spring.cloud.gcp.credentials.scopes is a comma-delimited list of Google OAuth2 scopes for Google Cloud services that the credentials returned by the provided CredentialsProvider support.

spring.cloud.gcp.credentials.scopes=https://www.googleapis.com/auth/pubsub,https://www.googleapis.com/auth/sqlservice.admin

You can also use DEFAULT_SCOPES placeholder as a scope to represent the starters default scopes, and append the additional scopes you need to add.

spring.cloud.gcp.credentials.scopes=DEFAULT_SCOPES,https://www.googleapis.com/auth/cloud-vision

Environment

GcpEnvironmentProvider is a functional interface, auto-configured by the Spring Framework on Google Cloud starter, that returns a GcpEnvironment enum. The provider can help determine programmatically in which Google Cloud environment (App Engine Flexible, App Engine Standard, Kubernetes Engine or Compute Engine) the application is deployed.

public interface GcpEnvironmentProvider {
	GcpEnvironment getCurrentEnvironment();
}

Customizing bean scope

Spring Framework on Google Cloud starters autoconfigure all necessary beans in the default singleton scope. If you need a particular bean or set of beans to be recreated dynamically (for example, to rotate credentials), there are two options:

  1. Annotate custom beans of the necessary types with @RefreshScope. This makes the most sense if your application is already redefining those beans.

  2. Override the scope for autoconfigured beans by listing them in the Spring Cloud property spring.cloud.refresh.extra-refreshable.

    For example, the beans involved in Cloud Pub/Sub subscription could be marked as refreshable as follows:

spring.cloud.refresh.extra-refreshable=com.google.cloud.spring.pubsub.support.SubscriberFactory,\
  com.google.cloud.spring.pubsub.core.subscriber.PubSubSubscriberTemplate

SmartLifecycle beans, such as Spring Integration adapters, do not currently support @RefreshScope. If your application refreshes any beans used by such SmartLifecycle objects, it may also have to restart the beans manually when RefreshScopeRefreshedEvent is detected, such as in the Cloud Pub/Sub example below:

@Autowired
private PubSubInboundChannelAdapter pubSubAdapter;

@EventListener(RefreshScopeRefreshedEvent.class)
public void onRefreshScope(RefreshScopeRefreshedEvent event) {
  this.pubSubAdapter.stop();
  this.pubSubAdapter.start();
}

Spring Initializr

This starter is available from Spring Initializr through the GCP Support entry.