tessl/maven-io-grpc--grpc-alts
gRPC ALTS (Application Layer Transport Security) implementation for secure and authenticated communication between Google Cloud VMs
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-io-grpc--grpc-alts@1.73.0index.mddocs/
gRPC ALTS Java Library
The gRPC ALTS (Application Layer Transport Security) Java library provides secure, authenticated communication capabilities for gRPC applications running on Google Cloud Platform. ALTS enables mutual authentication and encryption between services without explicit credential management, leveraging Google's infrastructure for automatic service identity verification.
Package Information
- Package Name: grpc-alts
- Package Type: maven
- Language: Java
- Installation: Maven coordinates
io.grpc:grpc-alts:1.73.0
Core Imports
import io.grpc.alts.AltsChannelBuilder;
import io.grpc.alts.AltsServerBuilder;
import io.grpc.alts.AltsChannelCredentials;
import io.grpc.alts.AltsServerCredentials;
import io.grpc.alts.AltsContext;
import io.grpc.alts.AltsContextUtil;
import io.grpc.alts.ComputeEngineChannelBuilder;
import io.grpc.alts.GoogleDefaultChannelBuilder;Basic Usage
Client Channel with ALTS
import io.grpc.alts.AltsChannelBuilder;
import io.grpc.ManagedChannel;
// Create a secure ALTS channel to a target service
ManagedChannel channel = AltsChannelBuilder.forTarget("example-service:443")
.addTargetServiceAccount("expected-service@gcp-project.iam.gserviceaccount.com")
.build();
// Use the channel for gRPC calls
YourServiceGrpc.YourServiceBlockingStub stub =
YourServiceGrpc.newBlockingStub(channel);Server with ALTS
import io.grpc.alts.AltsServerBuilder;
import io.grpc.Server;
// Create a secure ALTS server
Server server = AltsServerBuilder.forPort(8080)
.addService(new YourServiceImpl())
.build();
server.start();Compute Engine Channel (ALTS with TLS Fallback)
import io.grpc.alts.ComputeEngineChannelBuilder;
import io.grpc.ManagedChannel;
// Automatically uses ALTS on GCP, TLS elsewhere
ManagedChannel channel = ComputeEngineChannelBuilder
.forTarget("example-service:443")
.build();Architecture
The gRPC ALTS library is organized around several key components:
- Channel and Server Builders: High-level builders (
AltsChannelBuilder,AltsServerBuilder) that configure ALTS security automatically - Credential Classes: Lower-level credential objects (
AltsChannelCredentials,AltsServerCredentials) for custom integration - Context and Authorization: Runtime context access (
AltsContext,AltsContextUtil) for service identity verification - Fallback Mechanisms: Compute Engine and Google Default builders that provide automatic fallback to TLS
- Testing Support: Special configurations for development and testing environments
Capabilities
Channel Builders
High-level builders for creating secure gRPC channels with ALTS authentication. These builders automatically configure the underlying security infrastructure.
// Pure ALTS channel builder
public final class AltsChannelBuilder {
public static AltsChannelBuilder forTarget(String target);
public static AltsChannelBuilder forAddress(String name, int port);
public AltsChannelBuilder addTargetServiceAccount(String targetServiceAccount);
public ManagedChannel build();
}
// Compute Engine channel builder (ALTS with TLS fallback)
public final class ComputeEngineChannelBuilder {
public static ComputeEngineChannelBuilder forTarget(String target);
public static ComputeEngineChannelBuilder forAddress(String name, int port);
}
// Google Default channel builder (full Google Cloud auth stack)
public final class GoogleDefaultChannelBuilder {
public static GoogleDefaultChannelBuilder forTarget(String target);
public static GoogleDefaultChannelBuilder forAddress(String name, int port);
}Server Builders
High-level builders for creating secure gRPC servers with ALTS authentication.
public final class AltsServerBuilder {
public static AltsServerBuilder forPort(int port);
public AltsServerBuilder enableUntrustedAltsForTesting();
public AltsServerBuilder setHandshakerAddressForTesting(String handshakerAddress);
public Server build();
}Channel Credentials
Lower-level credential objects for custom channel security configuration.
public final class AltsChannelCredentials {
public static ChannelCredentials create();
public static Builder newBuilder();
}
public final class ComputeEngineChannelCredentials {
public static ChannelCredentials create();
}
public final class GoogleDefaultChannelCredentials {
public static ChannelCredentials create();
public static Builder newBuilder(); // Since 1.43.0
}Server Credentials
Lower-level credential objects for custom server security configuration.
public final class AltsServerCredentials {
public static ServerCredentials create();
public static Builder newBuilder();
}Context and Authorization
Runtime context access for service identity verification and authorization checks.
public final class AltsContext {
public SecurityLevel getSecurityLevel();
public String getPeerServiceAccount();
public String getLocalServiceAccount();
public enum SecurityLevel {
UNKNOWN, SECURITY_NONE, INTEGRITY_ONLY, INTEGRITY_AND_PRIVACY
}
}
public final class AltsContextUtil {
public static AltsContext createFrom(ServerCall<?, ?> call);
public static AltsContext createFrom(ClientCall<?, ?> call);
public static boolean check(ServerCall<?, ?> call);
public static boolean check(ClientCall<?, ?> call);
}
public final class AuthorizationUtil {
public static Status clientAuthorizationCheck(
ServerCall<?, ?> call,
Collection<String> expectedServiceAccounts
);
}Types
// Core gRPC interfaces used by ALTS
import io.grpc.ManagedChannel;
import io.grpc.Server;
import io.grpc.ChannelCredentials;
import io.grpc.ServerCredentials;
import io.grpc.ServerCall;
import io.grpc.ClientCall;
import io.grpc.Status;
// Java standard types
import java.util.Collection;
import java.util.concurrent.TimeUnit;API Maturity
Most ALTS APIs are marked as @ExperimentalApi and subject to change:
- Main builder and credential APIs are experimental (Issue #4151)
- Context and utility APIs are experimental (Issue #7864)
Production usage should account for potential API changes in future versions.