tessl/maven-io-grpc--grpc-alts
gRPC ALTS (Application Layer Transport Security) implementation for secure and authenticated communication between Google Cloud VMs
—
Pending
channel-builders.mddocs/
Channel Builders
High-level builders for creating secure gRPC channels with ALTS authentication and automatic fallback mechanisms.
Capabilities
ALTS Channel Builder
Creates a pure ALTS channel with mandatory ALTS authentication for secure communication between Google Cloud VMs.
/**
* ALTS version of ManagedChannelBuilder that sets up secure and authenticated
* communication between two cloud VMs using ALTS.
*/
@ExperimentalApi("https://github.com/grpc/grpc-java/issues/4151")
public final class AltsChannelBuilder extends ForwardingChannelBuilder2<AltsChannelBuilder> {
/**
* Creates an ALTS channel builder for the given target
* @param target the target URI or authority to connect to
* @return AltsChannelBuilder instance
*/
public static AltsChannelBuilder forTarget(String target);
/**
* Creates an ALTS channel builder for the given address and port
* @param name the hostname or IP address
* @param port the port number
* @return AltsChannelBuilder instance
*/
public static AltsChannelBuilder forAddress(String name, int port);
/**
* Adds an expected target service account. One of the added service accounts
* should match the peer service account in the handshaker result.
* @param targetServiceAccount the expected target service account
* @return this builder for chaining
*/
public AltsChannelBuilder addTargetServiceAccount(String targetServiceAccount);
/**
* Enables untrusted ALTS for testing. Disables Google Cloud Platform checks.
* @return this builder for chaining
*/
public AltsChannelBuilder enableUntrustedAltsForTesting();
/**
* Sets a custom handshaker service address for testing
* @param handshakerAddress the handshaker service address
* @return this builder for chaining
*/
public AltsChannelBuilder setHandshakerAddressForTesting(String handshakerAddress);
/**
* Builds the managed channel with ALTS security
* @return the configured ManagedChannel
*/
public ManagedChannel build();
}Usage Examples:
import io.grpc.alts.AltsChannelBuilder;
import io.grpc.ManagedChannel;
// Basic ALTS channel
ManagedChannel channel = AltsChannelBuilder
.forTarget("my-service:443")
.build();
// ALTS channel with service account verification
ManagedChannel secureChannel = AltsChannelBuilder
.forAddress("10.0.0.1", 8080)
.addTargetServiceAccount("backend@my-project.iam.gserviceaccount.com")
.addTargetServiceAccount("backup@my-project.iam.gserviceaccount.com")
.build();
// Testing configuration
ManagedChannel testChannel = AltsChannelBuilder
.forTarget("localhost:8080")
.enableUntrustedAltsForTesting()
.setHandshakerAddressForTesting("localhost:9999")
.build();Compute Engine Channel Builder
Creates a channel that uses ALTS on Google Cloud Platform and automatically falls back to TLS in other environments.
/**
* Channel builder that automatically chooses ALTS on GCP and TLS elsewhere
*/
public final class ComputeEngineChannelBuilder extends ForwardingChannelBuilder<ComputeEngineChannelBuilder> {
/**
* Creates a Compute Engine channel builder for the given target
* @param target the target URI or authority to connect to
* @return ComputeEngineChannelBuilder instance
*/
public static ComputeEngineChannelBuilder forTarget(String target);
/**
* Creates a Compute Engine channel builder for the given address and port
* @param name the hostname or IP address
* @param port the port number
* @return ComputeEngineChannelBuilder instance
*/
public static ComputeEngineChannelBuilder forAddress(String name, int port);
}Usage Examples:
import io.grpc.alts.ComputeEngineChannelBuilder;
import io.grpc.ManagedChannel;
// Automatic ALTS/TLS selection based on environment
ManagedChannel channel = ComputeEngineChannelBuilder
.forTarget("my-service.googleapis.com:443")
.build();
// Uses ALTS on GCP, TLS elsewhere
ManagedChannel flexibleChannel = ComputeEngineChannelBuilder
.forAddress("backend-service", 8080)
.build();Google Default Channel Builder
Creates a channel using the full Google Cloud authentication stack with support for both ALTS and OAuth credentials.
/**
* Channel builder for Google Cloud services with full authentication support
*/
public final class GoogleDefaultChannelBuilder extends ForwardingChannelBuilder<GoogleDefaultChannelBuilder> {
/**
* Creates a Google Default channel builder for the given target
* @param target the target URI or authority to connect to
* @return GoogleDefaultChannelBuilder instance
*/
public static GoogleDefaultChannelBuilder forTarget(String target);
/**
* Creates a Google Default channel builder for the given address and port
* @param name the hostname or IP address
* @param port the port number
* @return GoogleDefaultChannelBuilder instance
*/
public static GoogleDefaultChannelBuilder forAddress(String name, int port);
}Usage Examples:
import io.grpc.alts.GoogleDefaultChannelBuilder;
import io.grpc.ManagedChannel;
// Full Google Cloud authentication
ManagedChannel channel = GoogleDefaultChannelBuilder
.forTarget("pubsub.googleapis.com:443")
.build();
// Works with Google Cloud APIs
ManagedChannel apiChannel = GoogleDefaultChannelBuilder
.forTarget("storage.googleapis.com:443")
.build();Builder Pattern
All channel builders follow the standard gRPC builder pattern:
- Create: Use static factory methods (
forTarget(),forAddress()) - Configure: Chain configuration methods for customization
- Build: Call
build()to create the finalManagedChannel - Use: Use the channel with gRPC stubs
- Cleanup: Shutdown the channel when done
Security Considerations
- ALTS: Only works on Google Cloud Platform between authenticated VMs
- Service Account Verification: Use
addTargetServiceAccount()for additional security - Testing: Never use testing methods (
enableUntrustedAltsForTesting()) in production - Fallback: Compute Engine and Google Default builders provide automatic fallback mechanisms
Install with Tessl CLI
npx tessl i tessl/maven-io-grpc--grpc-alts