tessl/maven-io-grpc--grpc-alts

gRPC ALTS (Application Layer Transport Security) implementation for secure and authenticated communication between Google Cloud VMs

—

Pending

Overview

Eval results

Files

Channel Credentials

Name: tessl/maven-io-grpc--grpc-alts
Author: tessl

Lower-level credential objects for custom channel security configuration, providing fine-grained control over ALTS authentication settings.

Capabilities

ALTS Channel Credentials

Provides secure and authenticated communication between two cloud VMs using ALTS.

/**
 * Provides secure and authenticated communication between two cloud VMs using ALTS.
 */
@ExperimentalApi("https://github.com/grpc/grpc-java/issues/4151")
public final class AltsChannelCredentials {
    
    /**
     * Creates ALTS channel credentials with default settings
     * @return ChannelCredentials configured for ALTS
     */
    public static ChannelCredentials create();
    
    /**
     * Creates a new builder for customizing ALTS channel credentials
     * @return Builder instance
     */
    public static Builder newBuilder();
    
    /**
     * Builder for customizing ALTS channel credentials
     */
    @ExperimentalApi("https://github.com/grpc/grpc-java/issues/4151")
    public static final class Builder {
        
        /**
         * Adds an expected target service account. One of the added service accounts
         * should match the peer service account in the handshaker result.
         * @param targetServiceAccount the expected target service account
         * @return this builder for chaining
         */
        public Builder addTargetServiceAccount(String targetServiceAccount);
        
        /**
         * Enables untrusted ALTS for testing. Disables Google Cloud Platform checks.
         * @return this builder for chaining
         */
        public Builder enableUntrustedAltsForTesting();
        
        /**
         * Sets a custom handshaker service address for testing
         * @param handshakerAddress the handshaker service address
         * @return this builder for chaining
         */
        public Builder setHandshakerAddressForTesting(String handshakerAddress);
        
        /**
         * Builds the channel credentials
         * @return the configured ChannelCredentials
         */
        public ChannelCredentials build();
    }
}

Usage Examples:

import io.grpc.alts.AltsChannelCredentials;
import io.grpc.ChannelCredentials;
import io.grpc.Grpc;
import io.grpc.ManagedChannel;

// Basic ALTS credentials
ChannelCredentials creds = AltsChannelCredentials.create();
ManagedChannel channel = Grpc.newChannelBuilder("my-service:443", creds)
    .build();

// Customized ALTS credentials with service account verification
ChannelCredentials secureCreds = AltsChannelCredentials.newBuilder()
    .addTargetServiceAccount("backend@my-project.iam.gserviceaccount.com")
    .addTargetServiceAccount("backup@my-project.iam.gserviceaccount.com")
    .build();

ManagedChannel secureChannel = Grpc.newChannelBuilder("backend:8080", secureCreds)
    .build();

// Testing credentials
ChannelCredentials testCreds = AltsChannelCredentials.newBuilder()
    .enableUntrustedAltsForTesting()
    .setHandshakerAddressForTesting("localhost:9999")
    .build();

ManagedChannel testChannel = Grpc.newChannelBuilder("localhost:8080", testCreds)
    .build();

Compute Engine Channel Credentials

Creates credentials that use ALTS on Google Cloud Platform and automatically fall back to TLS elsewhere.

/**
 * Channel credentials that automatically choose ALTS on GCP and TLS elsewhere
 */
public final class ComputeEngineChannelCredentials {
    
    /**
     * Creates Compute Engine channel credentials with ALTS and TLS fallback
     * @return ChannelCredentials configured for Compute Engine environments
     */
    public static ChannelCredentials create();
}

Usage Examples:

import io.grpc.alts.ComputeEngineChannelCredentials;
import io.grpc.ChannelCredentials;
import io.grpc.Grpc;
import io.grpc.ManagedChannel;

// Automatic ALTS/TLS selection
ChannelCredentials creds = ComputeEngineChannelCredentials.create();
ManagedChannel channel = Grpc.newChannelBuilder("my-service:443", creds)
    .build();

// Works seamlessly across environments
ManagedChannel flexibleChannel = Grpc.newChannelBuilder("api.googleapis.com:443", creds)
    .build();

Google Default Channel Credentials

Creates credentials using the full Google Cloud authentication stack with support for both ALTS and OAuth credentials.

/**
 * Channel credentials for Google Cloud services with full authentication support
 */
public final class GoogleDefaultChannelCredentials {
    
    /**
     * Creates Google Default channel credentials with default settings
     * @return ChannelCredentials configured for Google Cloud services
     */
    public static ChannelCredentials create();
    
    /**
     * Creates a new builder for customizing Google Default channel credentials
     * @return Builder instance
     * @since 1.43.0
     */
    public static Builder newBuilder();
    
    /**
     * Builder for customizing Google Default channel credentials
     */
    public static final class Builder {
        
        /**
         * Sets call credentials for TLS connections
         * @param callCreds the call credentials for TLS
         * @return this builder for chaining
         */
        public Builder callCredentials(CallCredentials callCreds);
        
        /**
         * Sets ALTS-specific call credentials
         * @param callCreds the ALTS-specific call credentials
         * @return this builder for chaining
         */
        public Builder altsCallCredentials(CallCredentials callCreds);
        
        /**
         * Builds the channel credentials
         * @return the configured ChannelCredentials
         */
        public ChannelCredentials build();
    }
}

Usage Examples:

import io.grpc.alts.GoogleDefaultChannelCredentials;
import io.grpc.ChannelCredentials;
import io.grpc.Grpc;
import io.grpc.ManagedChannel;
import io.grpc.CallCredentials;

// Basic Google Default credentials
ChannelCredentials creds = GoogleDefaultChannelCredentials.create();
ManagedChannel channel = Grpc.newChannelBuilder("pubsub.googleapis.com:443", creds)
    .build();

// Customized with call credentials
CallCredentials authCreds = // ... OAuth credentials
ChannelCredentials customCreds = GoogleDefaultChannelCredentials.newBuilder()
    .callCredentials(authCreds)
    .build();

ManagedChannel authChannel = Grpc.newChannelBuilder("storage.googleapis.com:443", customCreds)
    .build();

Integration with gRPC Core

Channel credentials integrate with the core gRPC Grpc.newChannelBuilder() API:

import io.grpc.Grpc;
import io.grpc.ManagedChannel;
import io.grpc.ChannelCredentials;

// Use credentials with Grpc.newChannelBuilder()
ChannelCredentials credentials = // ... any ALTS credentials
ManagedChannel channel = Grpc.newChannelBuilder("target:443", credentials)
    .keepAliveTime(30, TimeUnit.SECONDS)
    .build();

Credential Selection Guide

Choose the appropriate credential type based on your environment and requirements:

AltsChannelCredentials: Pure ALTS authentication, requires Google Cloud Platform
ComputeEngineChannelCredentials: ALTS on GCP with TLS fallback for other environments
GoogleDefaultChannelCredentials: Full Google Cloud authentication stack with OAuth support

Security Considerations

Service Account Verification: Use addTargetServiceAccount() for additional security validation
Testing Methods: Never use testing methods in production environments
Credential Composition: Google Default credentials support layering OAuth and ALTS credentials
Environment Detection: Compute Engine credentials automatically detect the runtime environment

Install with Tessl CLI

npx tessl i tessl/maven-io-grpc--grpc-alts

docs

channel-builders.md

channel-credentials.md

context-authorization.md

index.md

server-builders.md

server-credentials.md

tile.json

tessl/maven-io-grpc--grpc-alts