Documentation
¶
Overview ¶
Package vmtoken implements parsing and verification of signed GCE VM metadata tokens.
See https://cloud.google.com/compute/docs/instances/verifying-instance-identity
Intended to be used from a server environment (e.g. from a GAE), since it depends on a bunch of luci/server packages that require a properly configured context.
Index ¶
- Constants
- func Clear(c context.Context) context.Context
- func CurrentIdentity(c context.Context) string
- func Has(c context.Context) bool
- func Hostname(c context.Context) string
- func Matches(c context.Context, host, zone, proj string) bool
- func Middleware(c *router.Context, next router.Handler)
- type Payload
Constants ¶
const Header = "X-Luci-Gce-Vm-Token"
Header is the name of the HTTP header where the GCE VM metadata token is expected.
Variables ¶
This section is empty.
Functions ¶
func CurrentIdentity ¶
CurrentIdentity returns the identity of the VM stored in the current context.
Types ¶
type Payload ¶
type Payload struct {
Project string // GCE project name, e.g. "my-bots" or "domain.com:my-bots"
Zone string // GCE zone name where the VM is, e.g. "us-central1-b"
Instance string // VM instance name, e.g. "my-instance-1"
Audience string // 'aud' field inside the token, usually the server URL
}
Payload is extracted from a verified GCE VM metadata token.
It identifies a VM that produced the token and the target audience for the token (as it was supplied to the GCE metadata endpoint via 'audience' request parameter when generating the token).
func Verify ¶
Verify parses a GCE VM metadata token, verifies its signature and expiration time, and extracts interesting parts of it into Payload struct.
Does NOT verify the audience field. This is responsibility of the caller.
The token is in JWT form (three dot-separated base64-encoded strings). It is expected to be signed by Google OAuth2 backends using RS256 algo.
Source Files
Directories