iamcredentials

package
v0.207.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 19, 2024 License: BSD-3-Clause Imports: 16 Imported by: 60

Documentation

Overview

Package iamcredentials provides access to the IAM Service Account Credentials API.

For product documentation, see: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials

Library status

These client libraries are officially supported by Google. However, this library is considered complete and is in maintenance mode. This means that we will address critical bugs and security issues but will not add any new features.

When possible, we recommend using our newer [Cloud Client Libraries for Go](https://pkg.go.dev/cloud.google.com/go) that are still actively being worked and iterated on.

Creating a client

Usage example: 

import "google.golang.org/api/iamcredentials/v1"
...
ctx := context.Background()
iamcredentialsService, err := iamcredentials.NewService(ctx)

In this example, Google Application Default Credentials are used for authentication. For information on how to create and obtain Application Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials.

Other authentication options

To use an API key for authentication (note: some APIs do not support API keys), use google.golang.org/api/option.WithAPIKey: 

iamcredentialsService, err := iamcredentials.NewService(ctx, option.WithAPIKey("AIza..."))

To use an OAuth token (e.g., a user token obtained via a three-legged OAuth flow, use google.golang.org/api/option.WithTokenSource: 

config := &oauth2.Config{...}
// ...
token, err := config.Exchange(ctx, ...)
iamcredentialsService, err := iamcredentials.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token)))

See google.golang.org/api/option.ClientOption for details on options.

Index

Constants

View Source 
const (
	// See, edit, configure, and delete your Google Cloud data and see the email
	// address for your Google Account.
	CloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform"
)

OAuth2 scopes used by this API.

Variables

This section is empty.

Functions

This section is empty.

Types

type GenerateAccessTokenRequest 

type GenerateAccessTokenRequest struct {
	// Delegates: The sequence of service accounts in a delegation chain. This
	// field is required for delegated requests
	// (https://cloud.google.com/iam/help/credentials/delegated-request). For
	// direct requests
	// (https://cloud.google.com/iam/help/credentials/direct-request), which are
	// more common, do not specify this field. Each service account must be granted
	// the `roles/iam.serviceAccountTokenCreator` role on its next service account
	// in the chain. The last service account in the chain must be granted the
	// `roles/iam.serviceAccountTokenCreator` role on the service account that is
	// specified in the `name` field of the request. The delegates must have the
	// following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`.
	// The `-` wildcard character is required; replacing it with a project ID is
	// invalid.
	Delegates []string `json:"delegates,omitempty"`
	// Lifetime: The desired lifetime duration of the access token in seconds. By
	// default, the maximum allowed value is 1 hour. To set a lifetime of up to 12
	// hours, you can add the service account as an allowed value in an
	// Organization Policy that enforces the
	// `constraints/iam.allowServiceAccountCredentialLifetimeExtension` constraint.
	// See detailed instructions at
	// https://cloud.google.com/iam/help/credentials/lifetime If a value is not
	// specified, the token's lifetime will be set to a default value of 1 hour.
	Lifetime string `json:"lifetime,omitempty"`
	// Scope: Required. Code to identify the scopes to be included in the OAuth 2.0
	// access token. See
	// https://developers.google.com/identity/protocols/googlescopes for more
	// information. At least one value required.
	Scope []string `json:"scope,omitempty"`
	// ForceSendFields is a list of field names (e.g. "Delegates") to
	// unconditionally include in API requests. By default, fields with empty or
	// default values are omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more
	// details.
	ForceSendFields []string `json:"-"`
	// NullFields is a list of field names (e.g. "Delegates") to include in API
	// requests with the JSON null value. By default, fields with empty values are
	// omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details.
	NullFields []string `json:"-"`
}

func (GenerateAccessTokenRequest) MarshalJSON 

func (s GenerateAccessTokenRequest) MarshalJSON() ([]byte, error)

type GenerateAccessTokenResponse 

type GenerateAccessTokenResponse struct {
	// AccessToken: The OAuth 2.0 access token.
	AccessToken string `json:"accessToken,omitempty"`
	// ExpireTime: Token expiration time. The expiration time is always set.
	ExpireTime string `json:"expireTime,omitempty"`

	// ServerResponse contains the HTTP response code and headers from the server.
	googleapi.ServerResponse `json:"-"`
	// ForceSendFields is a list of field names (e.g. "AccessToken") to
	// unconditionally include in API requests. By default, fields with empty or
	// default values are omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more
	// details.
	ForceSendFields []string `json:"-"`
	// NullFields is a list of field names (e.g. "AccessToken") to include in API
	// requests with the JSON null value. By default, fields with empty values are
	// omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details.
	NullFields []string `json:"-"`
}

func (GenerateAccessTokenResponse) MarshalJSON 

func (s GenerateAccessTokenResponse) MarshalJSON() ([]byte, error)

type GenerateIdTokenRequest 

type GenerateIdTokenRequest struct {
	// Audience: Required. The audience for the token, such as the API or account
	// that this token grants access to.
	Audience string `json:"audience,omitempty"`
	// Delegates: The sequence of service accounts in a delegation chain. Each
	// service account must be granted the `roles/iam.serviceAccountTokenCreator`
	// role on its next service account in the chain. The last service account in
	// the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on
	// the service account that is specified in the `name` field of the request.
	// The delegates must have the following format:
	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
	// character is required; replacing it with a project ID is invalid.
	Delegates []string `json:"delegates,omitempty"`
	// IncludeEmail: Include the service account email in the token. If set to
	// `true`, the token will contain `email` and `email_verified` claims.
	IncludeEmail bool `json:"includeEmail,omitempty"`
	// ForceSendFields is a list of field names (e.g. "Audience") to
	// unconditionally include in API requests. By default, fields with empty or
	// default values are omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more
	// details.
	ForceSendFields []string `json:"-"`
	// NullFields is a list of field names (e.g. "Audience") to include in API
	// requests with the JSON null value. By default, fields with empty values are
	// omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details.
	NullFields []string `json:"-"`
}

func (GenerateIdTokenRequest) MarshalJSON 

func (s GenerateIdTokenRequest) MarshalJSON() ([]byte, error)

type GenerateIdTokenResponse 

type GenerateIdTokenResponse struct {
	// Token: The OpenId Connect ID token.
	Token string `json:"token,omitempty"`

	// ServerResponse contains the HTTP response code and headers from the server.
	googleapi.ServerResponse `json:"-"`
	// ForceSendFields is a list of field names (e.g. "Token") to unconditionally
	// include in API requests. By default, fields with empty or default values are
	// omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more
	// details.
	ForceSendFields []string `json:"-"`
	// NullFields is a list of field names (e.g. "Token") to include in API
	// requests with the JSON null value. By default, fields with empty values are
	// omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details.
	NullFields []string `json:"-"`
}

func (GenerateIdTokenResponse) MarshalJSON 

func (s GenerateIdTokenResponse) MarshalJSON() ([]byte, error)

type ProjectsService 

type ProjectsService struct {
	ServiceAccounts *ProjectsServiceAccountsService
	// contains filtered or unexported fields
}

func NewProjectsService 

func NewProjectsService(s *Service) *ProjectsService

type ProjectsServiceAccountsGenerateAccessTokenCall 

type ProjectsServiceAccountsGenerateAccessTokenCall struct {
	// contains filtered or unexported fields
}

func (*ProjectsServiceAccountsGenerateAccessTokenCall) Context 

func (c *ProjectsServiceAccountsGenerateAccessTokenCall) Context(ctx context.Context) *ProjectsServiceAccountsGenerateAccessTokenCall

Context sets the context to be used in this call's Do method.

func (*ProjectsServiceAccountsGenerateAccessTokenCall) Do 

func (c *ProjectsServiceAccountsGenerateAccessTokenCall) Do(opts ...googleapi.CallOption) (*GenerateAccessTokenResponse, error)

Do executes the "iamcredentials.projects.serviceAccounts.generateAccessToken" call. Any non-2xx status code is an error. Response headers are in either *GenerateAccessTokenResponse.ServerResponse.Header or (if a response was returned at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check whether the returned error was because http.StatusNotModified was returned.

func (*ProjectsServiceAccountsGenerateAccessTokenCall) Fields 

func (c *ProjectsServiceAccountsGenerateAccessTokenCall) Fields(s ...googleapi.Field) *ProjectsServiceAccountsGenerateAccessTokenCall

Fields allows partial responses to be retrieved. See https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more details.

func (*ProjectsServiceAccountsGenerateAccessTokenCall) Header 

func (c *ProjectsServiceAccountsGenerateAccessTokenCall) Header() http.Header

Header returns a http.Header that can be modified by the caller to add headers to the request.

type ProjectsServiceAccountsGenerateIdTokenCall 

type ProjectsServiceAccountsGenerateIdTokenCall struct {
	// contains filtered or unexported fields
}

func (*ProjectsServiceAccountsGenerateIdTokenCall) Context 

func (c *ProjectsServiceAccountsGenerateIdTokenCall) Context(ctx context.Context) *ProjectsServiceAccountsGenerateIdTokenCall

Context sets the context to be used in this call's Do method.

func (*ProjectsServiceAccountsGenerateIdTokenCall) Do 

func (c *ProjectsServiceAccountsGenerateIdTokenCall) Do(opts ...googleapi.CallOption) (*GenerateIdTokenResponse, error)

Do executes the "iamcredentials.projects.serviceAccounts.generateIdToken" call. Any non-2xx status code is an error. Response headers are in either *GenerateIdTokenResponse.ServerResponse.Header or (if a response was returned at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check whether the returned error was because http.StatusNotModified was returned.

func (*ProjectsServiceAccountsGenerateIdTokenCall) Fields 

func (c *ProjectsServiceAccountsGenerateIdTokenCall) Fields(s ...googleapi.Field) *ProjectsServiceAccountsGenerateIdTokenCall

Fields allows partial responses to be retrieved. See https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more details.

func (*ProjectsServiceAccountsGenerateIdTokenCall) Header 

func (c *ProjectsServiceAccountsGenerateIdTokenCall) Header() http.Header

Header returns a http.Header that can be modified by the caller to add headers to the request.

type ProjectsServiceAccountsGetAllowedLocationsCall added in v0.204.0 

type ProjectsServiceAccountsGetAllowedLocationsCall struct {
	// contains filtered or unexported fields
}

func (*ProjectsServiceAccountsGetAllowedLocationsCall) Context added in v0.204.0 

func (c *ProjectsServiceAccountsGetAllowedLocationsCall) Context(ctx context.Context) *ProjectsServiceAccountsGetAllowedLocationsCall

Context sets the context to be used in this call's Do method.

func (*ProjectsServiceAccountsGetAllowedLocationsCall) Do added in v0.204.0 

func (c *ProjectsServiceAccountsGetAllowedLocationsCall) Do(opts ...googleapi.CallOption) (*ServiceAccountAllowedLocations, error)

Do executes the "iamcredentials.projects.serviceAccounts.getAllowedLocations" call. Any non-2xx status code is an error. Response headers are in either *ServiceAccountAllowedLocations.ServerResponse.Header or (if a response was returned at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check whether the returned error was because http.StatusNotModified was returned.

func (*ProjectsServiceAccountsGetAllowedLocationsCall) Fields added in v0.204.0 

func (c *ProjectsServiceAccountsGetAllowedLocationsCall) Fields(s ...googleapi.Field) *ProjectsServiceAccountsGetAllowedLocationsCall

Fields allows partial responses to be retrieved. See https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more details.

func (*ProjectsServiceAccountsGetAllowedLocationsCall) Header added in v0.204.0 

func (c *ProjectsServiceAccountsGetAllowedLocationsCall) Header() http.Header

Header returns a http.Header that can be modified by the caller to add headers to the request.

func (*ProjectsServiceAccountsGetAllowedLocationsCall) IfNoneMatch added in v0.204.0 

func (c *ProjectsServiceAccountsGetAllowedLocationsCall) IfNoneMatch(entityTag string) *ProjectsServiceAccountsGetAllowedLocationsCall

IfNoneMatch sets an optional parameter which makes the operation fail if the object's ETag matches the given value. This is useful for getting updates only after the object has changed since the last request.

type ProjectsServiceAccountsService 

type ProjectsServiceAccountsService struct {
	// contains filtered or unexported fields
}

func NewProjectsServiceAccountsService 

func NewProjectsServiceAccountsService(s *Service) *ProjectsServiceAccountsService

func (*ProjectsServiceAccountsService) GenerateAccessToken 

func (r *ProjectsServiceAccountsService) GenerateAccessToken(name string, generateaccesstokenrequest *GenerateAccessTokenRequest) *ProjectsServiceAccountsGenerateAccessTokenCall

GenerateAccessToken: Generates an OAuth 2.0 access token for a service account.

  • name: The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

func (*ProjectsServiceAccountsService) GenerateIdToken 

func (r *ProjectsServiceAccountsService) GenerateIdToken(name string, generateidtokenrequest *GenerateIdTokenRequest) *ProjectsServiceAccountsGenerateIdTokenCall

GenerateIdToken: Generates an OpenID Connect ID token for a service account.

  • name: The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

func (*ProjectsServiceAccountsService) GetAllowedLocations added in v0.204.0 

func (r *ProjectsServiceAccountsService) GetAllowedLocations(name string) *ProjectsServiceAccountsGetAllowedLocationsCall

GetAllowedLocations: Returns the trust boundary info for a given service account.

- name: Resource name of service account.

func (*ProjectsServiceAccountsService) SignBlob 

func (r *ProjectsServiceAccountsService) SignBlob(name string, signblobrequest *SignBlobRequest) *ProjectsServiceAccountsSignBlobCall

SignBlob: Signs a blob using a service account's system-managed private key.

  • name: The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

func (*ProjectsServiceAccountsService) SignJwt 

func (r *ProjectsServiceAccountsService) SignJwt(name string, signjwtrequest *SignJwtRequest) *ProjectsServiceAccountsSignJwtCall

SignJwt: Signs a JWT using a service account's system-managed private key.

  • name: The resource name of the service account for which the credentials are requested, in the following format: `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard character is required; replacing it with a project ID is invalid.

type ProjectsServiceAccountsSignBlobCall 

type ProjectsServiceAccountsSignBlobCall struct {
	// contains filtered or unexported fields
}

func (*ProjectsServiceAccountsSignBlobCall) Context 

func (c *ProjectsServiceAccountsSignBlobCall) Context(ctx context.Context) *ProjectsServiceAccountsSignBlobCall

Context sets the context to be used in this call's Do method.

func (*ProjectsServiceAccountsSignBlobCall) Do 

func (c *ProjectsServiceAccountsSignBlobCall) Do(opts ...googleapi.CallOption) (*SignBlobResponse, error)

Do executes the "iamcredentials.projects.serviceAccounts.signBlob" call. Any non-2xx status code is an error. Response headers are in either *SignBlobResponse.ServerResponse.Header or (if a response was returned at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check whether the returned error was because http.StatusNotModified was returned.

func (*ProjectsServiceAccountsSignBlobCall) Fields 

func (c *ProjectsServiceAccountsSignBlobCall) Fields(s ...googleapi.Field) *ProjectsServiceAccountsSignBlobCall

Fields allows partial responses to be retrieved. See https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more details.

func (*ProjectsServiceAccountsSignBlobCall) Header 

func (c *ProjectsServiceAccountsSignBlobCall) Header() http.Header

Header returns a http.Header that can be modified by the caller to add headers to the request.

type ProjectsServiceAccountsSignJwtCall 

type ProjectsServiceAccountsSignJwtCall struct {
	// contains filtered or unexported fields
}

func (*ProjectsServiceAccountsSignJwtCall) Context 

func (c *ProjectsServiceAccountsSignJwtCall) Context(ctx context.Context) *ProjectsServiceAccountsSignJwtCall

Context sets the context to be used in this call's Do method.

func (*ProjectsServiceAccountsSignJwtCall) Do 

func (c *ProjectsServiceAccountsSignJwtCall) Do(opts ...googleapi.CallOption) (*SignJwtResponse, error)

Do executes the "iamcredentials.projects.serviceAccounts.signJwt" call. Any non-2xx status code is an error. Response headers are in either *SignJwtResponse.ServerResponse.Header or (if a response was returned at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check whether the returned error was because http.StatusNotModified was returned.

func (*ProjectsServiceAccountsSignJwtCall) Fields 

func (c *ProjectsServiceAccountsSignJwtCall) Fields(s ...googleapi.Field) *ProjectsServiceAccountsSignJwtCall

Fields allows partial responses to be retrieved. See https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more details.

func (*ProjectsServiceAccountsSignJwtCall) Header 

func (c *ProjectsServiceAccountsSignJwtCall) Header() http.Header

Header returns a http.Header that can be modified by the caller to add headers to the request.

type Service 

type Service struct {
	BasePath  string // API endpoint base URL
	UserAgent string // optional additional User-Agent fragment

	Projects *ProjectsService
	// contains filtered or unexported fields
}

func New deprecated 

func New(client *http.Client) (*Service, error)

New creates a new Service. It uses the provided http.Client for requests.

Deprecated: please use NewService instead. To provide a custom HTTP client, use option.WithHTTPClient. If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead.

func NewService added in v0.3.0 

func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error)

NewService creates a new Service.

type ServiceAccountAllowedLocations added in v0.204.0 

type ServiceAccountAllowedLocations struct {
	// EncodedLocations: Output only. The hex encoded bitmap of the trust boundary
	// locations
	EncodedLocations string `json:"encodedLocations,omitempty"`
	// Locations: Output only. The human readable trust boundary locations. For
	// example, ["us-central1", "europe-west1"]
	Locations []string `json:"locations,omitempty"`

	// ServerResponse contains the HTTP response code and headers from the server.
	googleapi.ServerResponse `json:"-"`
	// ForceSendFields is a list of field names (e.g. "EncodedLocations") to
	// unconditionally include in API requests. By default, fields with empty or
	// default values are omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more
	// details.
	ForceSendFields []string `json:"-"`
	// NullFields is a list of field names (e.g. "EncodedLocations") to include in
	// API requests with the JSON null value. By default, fields with empty values
	// are omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details.
	NullFields []string `json:"-"`
}

ServiceAccountAllowedLocations: Represents a list of allowed locations for given service account.

func (ServiceAccountAllowedLocations) MarshalJSON added in v0.204.0 

func (s ServiceAccountAllowedLocations) MarshalJSON() ([]byte, error)

type SignBlobRequest 

type SignBlobRequest struct {
	// Delegates: The sequence of service accounts in a delegation chain. Each
	// service account must be granted the `roles/iam.serviceAccountTokenCreator`
	// role on its next service account in the chain. The last service account in
	// the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on
	// the service account that is specified in the `name` field of the request.
	// The delegates must have the following format:
	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
	// character is required; replacing it with a project ID is invalid.
	Delegates []string `json:"delegates,omitempty"`
	// Payload: Required. The bytes to sign.
	Payload string `json:"payload,omitempty"`
	// ForceSendFields is a list of field names (e.g. "Delegates") to
	// unconditionally include in API requests. By default, fields with empty or
	// default values are omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more
	// details.
	ForceSendFields []string `json:"-"`
	// NullFields is a list of field names (e.g. "Delegates") to include in API
	// requests with the JSON null value. By default, fields with empty values are
	// omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details.
	NullFields []string `json:"-"`
}

func (SignBlobRequest) MarshalJSON 

func (s SignBlobRequest) MarshalJSON() ([]byte, error)

type SignBlobResponse 

type SignBlobResponse struct {
	// KeyId: The ID of the key used to sign the blob. The key used for signing
	// will remain valid for at least 12 hours after the blob is signed. To verify
	// the signature, you can retrieve the public key in several formats from the
	// following endpoints: - RSA public key wrapped in an X.509 v3 certificate:
	// `https://www.googleapis.com/service_accounts/v1/metadata/x509/{ACCOUNT_EMAIL}
	// ` - Raw key in JSON format:
	// `https://www.googleapis.com/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}`
	//  - JSON Web Key (JWK):
	// `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_EMAIL}`
	KeyId string `json:"keyId,omitempty"`
	// SignedBlob: The signature for the blob. Does not include the original blob.
	// After the key pair referenced by the `key_id` response field expires, Google
	// no longer exposes the public key that can be used to verify the blob. As a
	// result, the receiver can no longer verify the signature.
	SignedBlob string `json:"signedBlob,omitempty"`

	// ServerResponse contains the HTTP response code and headers from the server.
	googleapi.ServerResponse `json:"-"`
	// ForceSendFields is a list of field names (e.g. "KeyId") to unconditionally
	// include in API requests. By default, fields with empty or default values are
	// omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more
	// details.
	ForceSendFields []string `json:"-"`
	// NullFields is a list of field names (e.g. "KeyId") to include in API
	// requests with the JSON null value. By default, fields with empty values are
	// omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details.
	NullFields []string `json:"-"`
}

func (SignBlobResponse) MarshalJSON 

func (s SignBlobResponse) MarshalJSON() ([]byte, error)

type SignJwtRequest 

type SignJwtRequest struct {
	// Delegates: The sequence of service accounts in a delegation chain. Each
	// service account must be granted the `roles/iam.serviceAccountTokenCreator`
	// role on its next service account in the chain. The last service account in
	// the chain must be granted the `roles/iam.serviceAccountTokenCreator` role on
	// the service account that is specified in the `name` field of the request.
	// The delegates must have the following format:
	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
	// character is required; replacing it with a project ID is invalid.
	Delegates []string `json:"delegates,omitempty"`
	// Payload: Required. The JWT payload to sign. Must be a serialized JSON object
	// that contains a JWT Claims Set. For example: `{"sub": "user@example.com",
	// "iat": 313435}` If the JWT Claims Set contains an expiration time (`exp`)
	// claim, it must be an integer timestamp that is not in the past and no more
	// than 12 hours in the future.
	Payload string `json:"payload,omitempty"`
	// ForceSendFields is a list of field names (e.g. "Delegates") to
	// unconditionally include in API requests. By default, fields with empty or
	// default values are omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more
	// details.
	ForceSendFields []string `json:"-"`
	// NullFields is a list of field names (e.g. "Delegates") to include in API
	// requests with the JSON null value. By default, fields with empty values are
	// omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details.
	NullFields []string `json:"-"`
}

func (SignJwtRequest) MarshalJSON 

func (s SignJwtRequest) MarshalJSON() ([]byte, error)

type SignJwtResponse 

type SignJwtResponse struct {
	// KeyId: The ID of the key used to sign the JWT. The key used for signing will
	// remain valid for at least 12 hours after the JWT is signed. To verify the
	// signature, you can retrieve the public key in several formats from the
	// following endpoints: - RSA public key wrapped in an X.509 v3 certificate:
	// `https://www.googleapis.com/service_accounts/v1/metadata/x509/{ACCOUNT_EMAIL}
	// ` - Raw key in JSON format:
	// `https://www.googleapis.com/service_accounts/v1/metadata/raw/{ACCOUNT_EMAIL}`
	//  - JSON Web Key (JWK):
	// `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_EMAIL}`
	KeyId string `json:"keyId,omitempty"`
	// SignedJwt: The signed JWT. Contains the automatically generated header; the
	// client-supplied payload; and the signature, which is generated using the key
	// referenced by the `kid` field in the header. After the key pair referenced
	// by the `key_id` response field expires, Google no longer exposes the public
	// key that can be used to verify the JWT. As a result, the receiver can no
	// longer verify the signature.
	SignedJwt string `json:"signedJwt,omitempty"`

	// ServerResponse contains the HTTP response code and headers from the server.
	googleapi.ServerResponse `json:"-"`
	// ForceSendFields is a list of field names (e.g. "KeyId") to unconditionally
	// include in API requests. By default, fields with empty or default values are
	// omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more
	// details.
	ForceSendFields []string `json:"-"`
	// NullFields is a list of field names (e.g. "KeyId") to include in API
	// requests with the JSON null value. By default, fields with empty values are
	// omitted from API requests. See
	// https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details.
	NullFields []string `json:"-"`
}

func (SignJwtResponse) MarshalJSON 

func (s SignJwtResponse) MarshalJSON() ([]byte, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.