Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // Now aliases time.Now for testing Now = func() time.Time { return time.Now().UTC() } )
Functions ¶
func NewTokenProvider ¶
func NewTokenProvider(opts *Options) (auth.TokenProvider, error)
NewTokenProvider returns a cloud.google.com/go/auth.TokenProvider configured with the provided options.
Types ¶
type AwsSecurityCredentials ¶
type AwsSecurityCredentials struct { // AccessKeyId is the AWS Access Key ID - Required. AccessKeyID string `json:"AccessKeyID"` // SecretAccessKey is the AWS Secret Access Key - Required. SecretAccessKey string `json:"SecretAccessKey"` // SessionToken is the AWS Session token. This should be provided for // temporary AWS security credentials - Optional. SessionToken string `json:"Token"` }
AwsSecurityCredentials models AWS security credentials.
type AwsSecurityCredentialsProvider ¶
type AwsSecurityCredentialsProvider interface { // AwsRegion should return the AWS region or an error. AwsRegion(ctx context.Context, opts *RequestOptions) (string, error) // GetAwsSecurityCredentials should return a valid set of // AwsSecurityCredentials or an error. The external account token provider // does not cache the returned security credentials, so caching logic should // be implemented in the provider to prevent multiple requests for the // same security credentials. AwsSecurityCredentials(ctx context.Context, opts *RequestOptions) (*AwsSecurityCredentials, error) }
AwsSecurityCredentialsProvider can be used to supply AwsSecurityCredentials and an AWS Region to exchange for a GCP access token.
type Options ¶
type Options struct { // Audience is the Secure Token Service (STS) audience which contains the resource name for the workload // identity pool or the workforce pool and the provider identifier in that pool. Audience string // SubjectTokenType is the STS token type based on the Oauth2.0 token exchange spec // e.g. `urn:ietf:params:oauth:token-type:jwt`. SubjectTokenType string // TokenURL is the STS token exchange endpoint. TokenURL string // TokenInfoURL is the token_info endpoint used to retrieve the account related information ( // user attributes like account identifier, eg. email, username, uid, etc). This is // needed for gCloud session account identification. TokenInfoURL string // ServiceAccountImpersonationURL is the URL for the service account impersonation request. This is only // required for workload identity pools when APIs to be accessed have not integrated with UberMint. ServiceAccountImpersonationURL string // ServiceAccountImpersonationLifetimeSeconds is the number of seconds the service account impersonation // token will be valid for. ServiceAccountImpersonationLifetimeSeconds int // ClientSecret is currently only required if token_info endpoint also // needs to be called with the generated GCP access token. When provided, STS will be // called with additional basic authentication using client_id as username and client_secret as password. ClientSecret string // ClientID is only required in conjunction with ClientSecret, as described above. ClientID string // CredentialSource contains the necessary information to retrieve the token itself, as well // as some environmental information. CredentialSource *credsfile.CredentialSource // QuotaProjectID is injected by gCloud. If the value is non-empty, the Auth libraries // will set the x-goog-user-project which overrides the project associated with the credentials. QuotaProjectID string // Scopes contains the desired scopes for the returned access token. Scopes []string // WorkforcePoolUserProject should be set when it is a workforce pool and // not a workload identity pool. The underlying principal must still have // serviceusage.services.use IAM permission to use the project for // billing/quota. Optional. WorkforcePoolUserProject string // UniverseDomain is the default service domain for a given Cloud universe. // This value will be used in the default STS token URL. The default value // is "googleapis.com". It will not be used if TokenURL is set. Optional. UniverseDomain string // SubjectTokenProvider is an optional token provider for OIDC/SAML // credentials. One of SubjectTokenProvider, AWSSecurityCredentialProvider // or CredentialSource must be provided. Optional. SubjectTokenProvider SubjectTokenProvider // AwsSecurityCredentialsProvider is an AWS Security Credential provider // for AWS credentials. One of SubjectTokenProvider, // AWSSecurityCredentialProvider or CredentialSource must be provided. Optional. AwsSecurityCredentialsProvider AwsSecurityCredentialsProvider // Client for token request. Client *http.Client // IsDefaultClient marks whether the client passed in is a default client that can be overriden. // This is important for X509 credentials which should create a new client if the default was used // but should respect a client explicitly passed in by the user. IsDefaultClient bool }
Options stores the configuration for fetching tokens with external credentials.
type RequestOptions ¶
type RequestOptions struct { // Audience is the requested audience for the external account credential. Audience string // Subject token type is the requested subject token type for the external // account credential. Expected values include: // “urn:ietf:params:oauth:token-type:jwt” // “urn:ietf:params:oauth:token-type:id-token” // “urn:ietf:params:oauth:token-type:saml2” // “urn:ietf:params:aws:token-type:aws4_request” SubjectTokenType string }
RequestOptions contains information about the requested subject token or AWS security credentials from the Google external account credential.
type SubjectTokenProvider ¶
type SubjectTokenProvider interface { // SubjectToken should return a valid subject token or an error. // The external account token provider does not cache the returned subject // token, so caching logic should be implemented in the provider to prevent // multiple requests for the same subject token. SubjectToken(ctx context.Context, opts *RequestOptions) (string, error) }
SubjectTokenProvider can be used to supply a subject token to exchange for a GCP access token.
Click to show internal directories.
Click to hide internal directories.