iam

package

v0.0.0-...-d0ced46 Latest Latest Go to latest Published: Nov 22, 2024 License: Apache-2.0 Imports: 11 Imported by: 8

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

chromium.googlesource.com/infra/luci/luci-go

Documentation ¶

Overview ¶

Package iam implements wrappers around some Google Cloud IAM APIs.

See https://cloud.google.com/iam/docs/ for general info.

DEPRECATED: Prefer to use cloud.google.com/go/iam instead.

Index ¶

type ClaimSet
type CredentialsClient
type Signer
- func (s *Signer) SignBytes(ctx context.Context, blob []byte) (string, []byte, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type ClaimSet ¶

type ClaimSet struct {
	Iss   string `json:"iss"`             // email address of the client_id of the application making the access token request
	Scope string `json:"scope,omitempty"` // space-delimited list of the permissions the application requests
	Aud   string `json:"aud"`             // descriptor of the intended target of the assertion (Optional).
	Exp   int64  `json:"exp"`             // the expiration time of the assertion (seconds since Unix epoch)
	Iat   int64  `json:"iat"`             // the time the assertion was issued (seconds since Unix epoch)
	Typ   string `json:"typ,omitempty"`   // token type (Optional).

	// Email for which the application is requesting delegated access (Optional).
	Sub string `json:"sub,omitempty"`
}

ClaimSet contains information about the JWT signature including the permissions being requested (scopes), the target of the token, the issuer, the time the token was issued, and the lifetime of the token.

See RFC 7515.

type CredentialsClient ¶

type CredentialsClient struct {
	Client *http.Client // the HTTP client to use to make calls
	// contains filtered or unexported fields
}

CredentialsClient knows how to perform IAM Credentials API v1 calls.

DEPRECATED: Prefer to use cloud.google.com/go/iam/credentials/apiv1 instead if possible.

func (*CredentialsClient) GenerateAccessToken ¶

func (cl *CredentialsClient) GenerateAccessToken(ctx context.Context, serviceAccount string, scopes []string, delegates []string, lifetime time.Duration) (*oauth2.Token, error)

GenerateAccessToken creates a service account OAuth token using IAM's :generateAccessToken API.

On non-success HTTP status codes returns googleapi.Error.

func (*CredentialsClient) GenerateIDToken ¶

func (cl *CredentialsClient) GenerateIDToken(ctx context.Context, serviceAccount string, audience string, includeEmail bool, delegates []string) (string, error)

GenerateIDToken creates a service account OpenID Connect ID token using IAM's :generateIdToken API.

On non-success HTTP status codes returns googleapi.Error.

func (*CredentialsClient) SignBlob ¶

func (cl *CredentialsClient) SignBlob(ctx context.Context, serviceAccount string, blob []byte) (keyName string, signature []byte, err error)

SignBlob signs a blob using a service account's system-managed key.

The caller must have "roles/iam.serviceAccountTokenCreator" role in the service account's IAM policy and caller's OAuth token must have one of the scopes:

Returns ID of the signing key and the signature on success.

On API-level errors (e.g. insufficient permissions) returns *googleapi.Error.

func (*CredentialsClient) SignJWT ¶

func (cl *CredentialsClient) SignJWT(ctx context.Context, serviceAccount string, cs *ClaimSet) (keyName, signedJwt string, err error)

SignJWT signs a claim set using a service account's system-managed key.

It injects the key ID into the JWT header before singing. As a result, JWTs produced by SignJWT are slightly faster to verify, because we know what public key to use exactly and don't need to enumerate all active keys.

It also checks the expiration time and refuses to sign claim sets with 'exp' set to more than 12h from now. Otherwise it is similar to SignBlob.

The caller must have "roles/iam.serviceAccountTokenCreator" role in the service account's IAM policy and caller's OAuth token must have one of the scopes:

Returns ID of the signing key and the signed JWT on success.

On API-level errors (e.g. insufficient permissions) returns *googleapi.Error.

type Signer ¶

type Signer struct {
	Client         *CredentialsClient
	ServiceAccount string
}

Signer implements SignBytes interface on top of IAM Credentials client.

It signs blobs using some service account's private key via 'signBlob' IAM call.

func (*Signer) SignBytes ¶

func (s *Signer) SignBytes(ctx context.Context, blob []byte) (string, []byte, error)

SignBytes signs the blob with some active private key.

Hashes the blob using SHA256 and then calculates RSASSA-PKCS1-v1_5 signature using the currently active signing key.

Returns the signature and name of the key used.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL