Documentation ¶
Overview ¶
Package google provides support for making OAuth2 authorized and authenticated HTTP requests to Google APIs. It supports the Web server flow, client-side credentials, service accounts, Google Compute Engine service accounts, Google App Engine service accounts and workload identity federation from non-Google cloud platforms.
A brief overview of the package follows. For more information, please read https://developers.google.com/accounts/docs/OAuth2 and https://developers.google.com/accounts/docs/application-default-credentials. For more information on using workload identity federation, refer to https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation.
OAuth2 Configs ¶
Two functions in this package return github.com/federicobozzini/oauth2.Config values from Google credential data. Google supports two JSON formats for OAuth2 credentials: one is handled by ConfigFromJSON, the other by JWTConfigFromJSON. The returned Config can be used to obtain a TokenSource or create an http.Client.
Workload Identity Federation ¶
Using workload identity federation, your application can access Google Cloud resources from Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC). Traditionally, applications running outside Google Cloud have used service account keys to access Google Cloud resources. Using identity federation, you can allow your workload to impersonate a service account. This lets you access Google Cloud resources directly, eliminating the maintenance and security burden associated with service account keys.
Follow the detailed instructions on how to configure Workload Identity Federation in various platforms:
Amazon Web Services (AWS): https://cloud.google.com/iam/docs/access-resources-aws Microsoft Azure: https://cloud.google.com/iam/docs/access-resources-azure OIDC identity provider: https://cloud.google.com/iam/docs/access-resources-oidc
For OIDC providers, the library can retrieve OIDC tokens either from a local file location (file-sourced credentials) or from a local server (URL-sourced credentials). For file-sourced credentials, a background process needs to be continuously refreshing the file location with a new OIDC token prior to expiration. For tokens with one hour lifetimes, the token needs to be updated in the file every hour. The token can be stored directly as plain text or in JSON format. For URL-sourced credentials, a local server needs to host a GET endpoint to return the OIDC token. The response can be in plain text or JSON. Additional required request headers can also be specified.
Credentials ¶
The Credentials type represents Google credentials, including Application Default Credentials.
Use FindDefaultCredentials to obtain Application Default Credentials. FindDefaultCredentials looks in some well-known places for a credentials file, and will call AppEngineTokenSource or ComputeTokenSource as needed.
Application Default Credentials also support workload identity federation to access Google Cloud resources from non-Google Cloud platforms including Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC). Workload identity federation is recommended for non-Google Cloud environments as it avoids the need to download, manage and store service account private keys locally.
DefaultClient and DefaultTokenSource are convenience methods. They first call FindDefaultCredentials, then use the credentials to construct an http.Client or an oauth2.TokenSource.
Use CredentialsFromJSON to obtain credentials from either of the two JSON formats described in OAuth2 Configs, above. The TokenSource in the returned value is the same as the one obtained from the oauth2.Config returned from ConfigFromJSON or JWTConfigFromJSON, but the Credentials may contain additional information that is useful is some circumstances.
Index ¶
- Constants
- Variables
- func AppEngineTokenSource(ctx context.Context, scope ...string) oauth2.TokenSource
- func ComputeTokenSource(account string, scope ...string) oauth2.TokenSource
- func ConfigFromJSON(jsonKey []byte, scope ...string) (*oauth2.Config, error)
- func DefaultClient(ctx context.Context, scope ...string) (*http.Client, error)
- func DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSource, error)
- func JWTAccessTokenSourceFromJSON(jsonKey []byte, audience string) (oauth2.TokenSource, error)
- func JWTConfigFromJSON(jsonKey []byte, scope ...string) (*jwt.Config, error)
- type Credentials
- type DefaultCredentialsdeprecated
- type SDKConfig
Examples ¶
Constants ¶
const JWTTokenURL = "https://oauth2.googleapis.com/token"
JWTTokenURL is Google's OAuth 2.0 token URL to use with the JWT flow.
Variables ¶
var Endpoint = oauth2.Endpoint{ AuthURL: "https://accounts.google.com/o/oauth2/auth", TokenURL: "https://oauth2.googleapis.com/token", AuthStyle: oauth2.AuthStyleInParams, }
Endpoint is Google's OAuth 2.0 endpoint.
Functions ¶
func AppEngineTokenSource ¶
func AppEngineTokenSource(ctx context.Context, scope ...string) oauth2.TokenSource
AppEngineTokenSource returns a token source that fetches tokens from either the current application's service account or from the metadata server, depending on the App Engine environment. See below for environment-specific details. If you are implementing a 3-legged OAuth 2.0 flow on App Engine that involves user accounts, see oauth2.Config instead.
First generation App Engine runtimes (<= Go 1.9): AppEngineTokenSource returns a token source that fetches tokens issued to the current App Engine application's service account. The provided context must have come from appengine.NewContext.
Second generation App Engine runtimes (>= Go 1.11) and App Engine flexible: AppEngineTokenSource is DEPRECATED on second generation runtimes and on the flexible environment. It delegates to ComputeTokenSource, and the provided context and scopes are not used. Please use DefaultTokenSource (or ComputeTokenSource, which DefaultTokenSource will use in this case) instead.
func ComputeTokenSource ¶
func ComputeTokenSource(account string, scope ...string) oauth2.TokenSource
ComputeTokenSource returns a token source that fetches access tokens from Google Compute Engine (GCE)'s metadata server. It's only valid to use this token source if your program is running on a GCE instance. If no account is specified, "default" is used. If no scopes are specified, a set of default scopes are automatically granted. Further information about retrieving access tokens from the GCE metadata server can be found at https://cloud.google.com/compute/docs/authentication.
func ConfigFromJSON ¶
ConfigFromJSON uses a Google Developers Console client_credentials.json file to construct a config. client_credentials.json can be downloaded from https://console.developers.google.com, under "Credentials". Download the Web application credentials in the JSON format and provide the contents of the file as jsonKey.
func DefaultClient ¶
DefaultClient returns an HTTP Client that uses the DefaultTokenSource to obtain authentication credentials.
func DefaultTokenSource ¶
DefaultTokenSource returns the token source for "Application Default Credentials". It is a shortcut for FindDefaultCredentials(ctx, scope).TokenSource.
func JWTAccessTokenSourceFromJSON ¶
func JWTAccessTokenSourceFromJSON(jsonKey []byte, audience string) (oauth2.TokenSource, error)
JWTAccessTokenSourceFromJSON uses a Google Developers service account JSON key file to read the credentials that authorize and authenticate the requests, and returns a TokenSource that does not use any OAuth2 flow but instead creates a JWT and sends that as the access token. The audience is typically a URL that specifies the scope of the credentials.
Note that this is not a standard OAuth flow, but rather an optimization supported by a few Google services. Unless you know otherwise, you should use JWTConfigFromJSON instead.
func JWTConfigFromJSON ¶
JWTConfigFromJSON uses a Google Developers service account JSON key file to read the credentials that authorize and authenticate the requests. Create a service account on "Credentials" for your project at https://console.developers.google.com to download a JSON key file.
Types ¶
type Credentials ¶
type Credentials struct { ProjectID string // may be empty TokenSource oauth2.TokenSource // JSON contains the raw bytes from a JSON credentials file. // This field may be nil if authentication is provided by the // environment and not with a credentials file, e.g. when code is // running on Google Cloud Platform. JSON []byte }
Credentials holds Google credentials, including "Application Default Credentials". For more details, see: https://developers.google.com/accounts/docs/application-default-credentials Credentials from external accounts (workload identity federation) are used to identify a particular application from an on-prem or non-Google Cloud platform including Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC).
func CredentialsFromJSON ¶
func CredentialsFromJSON(ctx context.Context, jsonData []byte, scopes ...string) (*Credentials, error)
CredentialsFromJSON obtains Google credentials from a JSON value. The JSON can represent either a Google Developers Console client_credentials.json file (as in ConfigFromJSON), a Google Developers service account key file (as in JWTConfigFromJSON) or the JSON configuration file for workload identity federation in non-Google cloud platforms (see https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation).
func FindDefaultCredentials ¶
func FindDefaultCredentials(ctx context.Context, scopes ...string) (*Credentials, error)
FindDefaultCredentials searches for "Application Default Credentials".
It looks for credentials in the following places, preferring the first location found:
- A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable. For workload identity federation, refer to https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation on how to generate the JSON configuration file for on-prem/non-Google cloud platforms.
- A JSON file in a location known to the gcloud command-line tool. On Windows, this is %APPDATA%/gcloud/application_default_credentials.json. On other systems, $HOME/.config/gcloud/application_default_credentials.json.
- On Google App Engine standard first generation runtimes (<= Go 1.9) it uses the appengine.AccessToken function.
- On Google Compute Engine, Google App Engine standard second generation runtimes (>= Go 1.11), and Google App Engine flexible environment, it fetches credentials from the metadata server.
type DefaultCredentials
deprecated
type DefaultCredentials = Credentials
DefaultCredentials is the old name of Credentials.
Deprecated: use Credentials instead.
type SDKConfig ¶
type SDKConfig struct {
// contains filtered or unexported fields
}
An SDKConfig provides access to tokens from an account already authorized via the Google Cloud SDK.
func NewSDKConfig ¶
NewSDKConfig creates an SDKConfig for the given Google Cloud SDK account. If account is empty, the account currently active in Google Cloud SDK properties is used. Google Cloud SDK credentials must be created by running `gcloud auth` before using this function. The Google Cloud SDK is available at https://cloud.google.com/sdk/.
func (*SDKConfig) Client ¶
Client returns an HTTP client using Google Cloud SDK credentials to authorize requests. The token will auto-refresh as necessary. The underlying http.RoundTripper will be obtained using the provided context. The returned client and its Transport should not be modified.
func (*SDKConfig) TokenSource ¶
func (c *SDKConfig) TokenSource(ctx context.Context) oauth2.TokenSource
TokenSource returns an oauth2.TokenSource that retrieve tokens from Google Cloud SDK credentials using the provided context. It will returns the current access token stored in the credentials, and refresh it when it expires, but it won't update the credentials with the new access token.