Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CreateExecutableCredential ¶
func CreateExecutableCredential(ctx context.Context, ec *ExecutableConfig, config *Config) (executableCredentialSource, error)
CreateExecutableCredential creates an executableCredentialSource given an ExecutableConfig. It also performs defaulting and type conversions.
Types ¶
type Config ¶
type Config struct { // Audience is the Secure Token Service (STS) audience which contains the resource name for the workload // identity pool or the workforce pool and the provider identifier in that pool. Audience string // SubjectTokenType is the STS token type based on the Oauth2.0 token exchange spec // e.g. `urn:ietf:params:oauth:token-type:jwt`. SubjectTokenType string // TokenURL is the STS token exchange endpoint. TokenURL string // TokenInfoURL is the token_info endpoint used to retrieve the account related information ( // user attributes like account identifier, eg. email, username, uid, etc). This is // needed for gCloud session account identification. TokenInfoURL string // ServiceAccountImpersonationURL is the URL for the service account impersonation request. This is only // required for workload identity pools when APIs to be accessed have not integrated with UberMint. ServiceAccountImpersonationURL string // ServiceAccountImpersonationLifetimeSeconds is the number of seconds the service account impersonation // token will be valid for. ServiceAccountImpersonationLifetimeSeconds int // ClientSecret is currently only required if token_info endpoint also // needs to be called with the generated GCP access token. When provided, STS will be // called with additional basic authentication using client_id as username and client_secret as password. ClientSecret string // ClientID is only required in conjunction with ClientSecret, as described above. ClientID string // CredentialSource contains the necessary information to retrieve the token itself, as well // as some environmental information. CredentialSource CredentialSource // QuotaProjectID is injected by gCloud. If the value is non-empty, the Auth libraries // will set the x-goog-user-project which overrides the project associated with the credentials. QuotaProjectID string // Scopes contains the desired scopes for the returned access token. Scopes []string // The optional workforce pool user project number when the credential // corresponds to a workforce pool and not a workload identity pool. // The underlying principal must still have serviceusage.services.use IAM // permission to use the project for billing/quota. WorkforcePoolUserProject string }
Config stores the configuration for fetching tokens with external credentials.
type CredentialSource ¶
type CredentialSource struct { File string `json:"file"` URL string `json:"url"` Headers map[string]string `json:"headers"` Executable *ExecutableConfig `json:"executable"` EnvironmentID string `json:"environment_id"` RegionURL string `json:"region_url"` RegionalCredVerificationURL string `json:"regional_cred_verification_url"` CredVerificationURL string `json:"cred_verification_url"` IMDSv2SessionTokenURL string `json:"imdsv2_session_token_url"` Format format `json:"format"` }
CredentialSource stores the information necessary to retrieve the credentials for the STS exchange. One field amongst File, URL, and Executable should be filled, depending on the kind of credential in question. The EnvironmentID should start with AWS if being used for an AWS credential.
type ExecutableConfig ¶
type ImpersonateTokenSource ¶
type ImpersonateTokenSource struct { // Ctx is the execution context of the impersonation process // used to perform http call to the URL. Required Ctx context.Context // Ts is the source credential used to generate a token on the // impersonated service account. Required. Ts oauth2.TokenSource // URL is the endpoint to call to generate a token // on behalf the service account. Required. URL string // Scopes that the impersonated credential should have. Required. Scopes []string // Delegates are the service account email addresses in a delegation chain. // Each service account must be granted roles/iam.serviceAccountTokenCreator // on the next service account in the chain. Optional. Delegates []string // TokenLifetimeSeconds is the number of seconds the impersonation token will // be valid for. TokenLifetimeSeconds int }
ImpersonateTokenSource uses a source credential, stored in Ts, to request an access token to the provided URL. Scopes can be defined when the access token is requested.
func (ImpersonateTokenSource) Token ¶
func (its ImpersonateTokenSource) Token() (*oauth2.Token, error)
Token performs the exchange to get a temporary service account token to allow access to GCP.