feat: Document Fleet Reader role for Auth Library

regeter · regeter · commit 62f13aa95496 · 2025-05-16T14:13:47.000-07:00
diff --git a/README.md b/README.md
@@ -55,22 +55,24 @@ FleetEngine Service Super User | Grants permission to all vehicles and trips API
 Fleet Engine Delivery Consumer SDK User | Grants permission to search for tasks using a tracking ID, and to read but not update task information. Tokens minted by a service account with this role are typically used from a delivery consumer's web browser.
 Fleet Engine Delivery Untrusted Driver User | Grants permission to update delivery vehicle location. Tokens minted by a service account with this role are typically used from your delivery driver's mobile devices.
 Fleet Engine Delivery Trusted Driver User | Grants permission to create and update delivery vehicles and tasks, including updating the delivery vehicle location and task status or outcome. Tokens minted by a service account with this role are typically used from your delivery driver's mobile devices or from your backend servers.
-Fleet Engine Delivery Fleet Reader | Grants permission to read delivery vehicles and tasks and to search for tasks using a tracking ID. Tokens minted by a service account with this role are typically used from a delivery fleet operator's web browser.
+Fleet Engine Delivery Fleet Reader User | Grants permission to read delivery vehicles and tasks and to search for tasks using a tracking ID. Tokens minted by a service account with this role are typically used from a delivery fleet operator's web browser. **To be Deprecated in favor of unified Fleet Reader.**
 Fleet Engine Delivery Super User| Grants permission to all delivery vehicles and tasks APIs. Tokens minted by a service account with this role are typically used from your backend servers.
+Fleet Engine Fleet Reader User | Grants read access to all Fleet Engine resources (both On-Demand Rides & Deliveries and Last Mile Fleet Solution). Tokens minted by a service account with this role are typically used from a fleet operator's web browser or backend server for fleet-wide visibility.
 
 Each role is tied to a `com.google.fleetengine.auth.token.FleetEngineTokenType`,
 and each type of token can be constrained to a specific resource:
 
 Role                                | Token Type                      | Resource Constraint
 :---------------------------------- | :-----------------------------: | :-----------------:
-Fleet Engine Consumer SDK User      | `FleetEngineTokenType#CONSUMER` | trip id
-Fleet Engine Driver SDK User        | `FleetEngineTokenType#DRIVER`   | vehicle id
-Fleet Engine Service Super SDK User | `FleetEngineTokenType#SERVER`   | (no constraint)
-Fleet Engine Delivery Consumer SDK User      | `FleetEngineTokenType#DELIVERY_CONSUMER` | task id OR tracking id
-Fleet Engine Delivery Untrusted Driver SDK User        | `FleetEngineTokenType#UNTRUSTED_DELIVERY_DRIVER`   | delivery vehicle id
-Fleet Engine Delivery Trusted Driver SDK User | `FleetEngineTokenType#TRUSTED_DELIVERY_DRIVER`   | delivery vehicle id and task id
-Fleet Engine Delivery Fleet Reader SDK User | `FleetEngineTokenType#DELIVERY_FLEET_READER`   | (no constraint)
-Fleet Engine Delivery Super SDK User | `FleetEngineTokenType#DELIVERY_SERVER`   | (no constraint)
+Fleet Engine Consumer SDK User      | `FleetEngineTokenType.CONSUMER` | trip id
+Fleet Engine Driver SDK User        | `FleetEngineTokenType.DRIVER`   | vehicle id
+Fleet Engine Service Super SDK User | `FleetEngineTokenType.SERVER`   | (no constraint)
+Fleet Engine Delivery Consumer SDK User      | `FleetEngineTokenType.DELIVERY_CONSUMER` | task id OR tracking id
+Fleet Engine Delivery Untrusted Driver SDK User        | `FleetEngineTokenType.UNTRUSTED_DELIVERY_DRIVER`   | delivery vehicle id
+Fleet Engine Delivery Trusted Driver SDK User | `FleetEngineTokenType.TRUSTED_DELIVERY_DRIVER`   | delivery vehicle id and task id
+Fleet Engine Delivery Fleet Reader SDK User | `FleetEngineTokenType.DELIVERY_FLEET_READER`   | (no constraint)
+Fleet Engine Delivery Super SDK User | `FleetEngineTokenType.DELIVERY_SERVER`   | (no constraint)
+Fleet Engine Fleet Reader User      | `FleetEngineTokenType.FLEET_READER` | (no constraint)
 
 
 ### JWT Signers
@@ -108,8 +110,9 @@ For example, when creating tokens for use with the On Demand Rides and Deliverie
 ```java
 AuthTokenMinter minter = AuthTokenMinter.builder()
   .setServerTokenSigner(DefaultServiceAccountSigner.create())
-  .setDriverSigner(ImpersonatedAccountSignerCredentials.create("driver@gcp-project.com")
-  .setConsumerSigner(ImpersonatedAccountSignerCredentials.create("consumer@gcp-project.iam.gserviceaccount.com")
+  .setDriverSigner(ImpersonatedSigner.create("driver@gcp-project.iam.gserviceaccount.com"))
+  .setConsumerSigner(ImpersonatedSigner.create("consumer@gcp-project.iam.gserviceaccount.com"))
+  .setFleetReaderSigner(ImpersonatedSigner.create("fleet-reader@gcp-project.iam.gserviceaccount.com"))
   .build();
 ```
 
@@ -118,10 +121,10 @@ When creating tokens for use with the Last Mile Fleet Services, use:
 ```java
 AuthTokenMinter minter = AuthTokenMinter.deliveryBuilder()
   .setDeliveryServerSigner(DefaultServiceAccountSigner.create())
-  .setDeliveryConsumerSigner(ImpersonatedAccountSignerCredentials.create("delivery-consumer@gcp-project.com")
-  .setUntrustedDeliveryDriverSigner(ImpersonatedAccountSignerCredentials.create("untrusted-delivery-driver-signer@gcp-project.iam.gserviceaccount.com")
-  .setTrustedDeliveryDriverSigner(ImpersonatedAccountSignerCredentials.create("trusted-delivery-driver-signer@gcp-project.iam.gserviceaccount.com")
-  .setDeliveryFleetReaderSigner(ImpersonatedAccountSignerCredentials.create("delivery-fleet-reader@gcp-project.iam.gserviceaccount.com")
+  .setDeliveryConsumerSigner(ImpersonatedSigner.create("delivery-consumer@gcp-project.iam.gserviceaccount.com"))
+  .setUntrustedDeliveryDriverSigner(ImpersonatedSigner.create("untrusted-delivery-driver-signer@gcp-project.iam.gserviceaccount.com"))
+  .setTrustedDeliveryDriverSigner(ImpersonatedSigner.create("trusted-delivery-driver-signer@gcp-project.iam.gserviceaccount.com"))
+  .setFleetReaderSigner(ImpersonatedSigner.create("fleet-reader@gcp-project.iam.gserviceaccount.com"))
   .build();
 ```
 
@@ -134,6 +137,8 @@ FleetEngineToken serverToken = minter.getServerToken();
 FleetEngineToken consumerToken = minter.getConsumerToken(TripClaims.create("trip-id-123"));
 
 FleetEngineToken driverToken = minter.getDriverToken(VehicleClaims.create("vehicle-id-123"));
+
+FleetEngineToken fleetReaderToken = minter.getFleetReaderToken();
 ```
 
 A `FleetEngineToken` has several attributes, but in most cases, only the base64
