Documentation
¶
Overview ¶
Package sts provides access to the Security Token Service API.
For product documentation, see: http://cloud.google.com/iam/docs/workload-identity-federation
Creating a client ¶
Usage example:
import "google.golang.org/api/sts/v1beta" ... ctx := context.Background() stsService, err := sts.NewService(ctx)
In this example, Google Application Default Credentials are used for authentication.
For information on how to create and obtain Application Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials.
Other authentication options ¶
To use an API key for authentication (note: some APIs do not support API keys), use option.WithAPIKey:
stsService, err := sts.NewService(ctx, option.WithAPIKey("AIza..."))
To use an OAuth token (e.g., a user token obtained via a three-legged OAuth flow), use option.WithTokenSource:
config := &oauth2.Config{...}
// ...
token, err := config.Exchange(ctx, ...)
stsService, err := sts.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token)))
See https://godoc.org/google.golang.org/api/option/ for details on options.
Index ¶
- type GoogleIdentityStsV1betaExchangeTokenRequest
- type GoogleIdentityStsV1betaExchangeTokenResponse
- type Service
- type V1betaService
- type V1betaTokenCall
- func (c *V1betaTokenCall) Context(ctx context.Context) *V1betaTokenCall
- func (c *V1betaTokenCall) Do(opts ...googleapi.CallOption) (*GoogleIdentityStsV1betaExchangeTokenResponse, error)
- func (c *V1betaTokenCall) Fields(s ...googleapi.Field) *V1betaTokenCall
- func (c *V1betaTokenCall) Header() http.Header
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type GoogleIdentityStsV1betaExchangeTokenRequest ¶
type GoogleIdentityStsV1betaExchangeTokenRequest struct {
// Audience: The full resource name of the identity provider; for
// example:
// `https://iam.googleapis.com/projects/{PROJECT_ID}/workloadIdentityPool
// s/{POOL_ID}/providers/{PROVIDER_ID}`. Required when exchanging an
// external credential for a Google access token.
Audience string `json:"audience,omitempty"`
// GrantType: Required. The grant type. Must be
// `urn:ietf:params:oauth:grant-type:token-exchange`, which indicates a
// token exchange is requested.
GrantType string `json:"grantType,omitempty"`
// Options: A set of features that Security Token Service supports, in
// addition to the standard OAuth 2.0 token exchange, formatted as a
// serialized JSON object of Options.
Options string `json:"options,omitempty"`
// RequestedTokenType: Required. An identifier for the type of requested
// security token. Must be
// `urn:ietf:params:oauth:token-type:access_token`.
RequestedTokenType string `json:"requestedTokenType,omitempty"`
// Scope: The OAuth 2.0 scopes to include on the resulting access token,
// formatted as a list of space-delimited, case-sensitive strings.
// Required when exchanging an external credential for a Google access
// token.
Scope string `json:"scope,omitempty"`
// SubjectToken: Required. The input token. This is a either an external
// credential issued by a WorkloadIdentityPoolProvider, or a short-lived
// access token issued by Google. If the token is an OIDC JWT, it must
// use the JWT format defined in [RFC
// 7523](https://tools.ietf.org/html/rfc7523), and `subject_token_type`
// must be `urn:ietf:params:oauth:token-type:jwt`. The following headers
// are required: - **`kid`**: The identifier of the signing key securing
// the JWT. - **`alg`**: The cryptographic algorithm securing the JWT.
// Must be `RS256`. The following payload fields are required. For more
// information, see [RFC 7523, Section
// 3](https://tools.ietf.org/html/rfc7523#section-3). - **`iss`**: The
// issuer of the token. The issuer must provide a discovery document at
// `/.well-known/openid-configuration`, formatted according to section
// 4.2 of the [OIDC 1.0 Discovery
// specification](https://openid.net/specs/openid-connect-discovery-1_0.h
// tml#ProviderConfigurationResponse). - **`iat`**: The issue time, in
// seconds, since epoch. Must be in the past. - **`exp`**: The
// expiration time, in seconds, since epoch. Must be fewer than 48 hours
// after `iat`. Shorter expiration times are more. secure. If possible,
// we recommend setting an expiration time fewer than 6 hours. -
// **`sub`**: The identity asserted in the JWT. - **`aud`**: Configured
// by the mapper policy. The default value is the service account's
// unique ID. Example header: “` { "alg": "RS256", "kid": "us-east-11"
// } “` Example payload: “` { "iss": "https://accounts.google.com",
// "iat": 1517963104, "exp": 1517966704, "aud": "113475438248934895348",
// "sub": "113475438248934895348", "my_claims": { "additional_claim":
// "value" } } “` If `subject_token` is an AWS token, it must be a
// serialized,
// [signed](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api
// _requests.html) request to the AWS
// [`GetCallerIdentity()`](https://docs.aws.amazon.com/STS/latest/APIRefe
// rence/API_GetCallerIdentity) method. Format the request as
// URL-encoded JSON, and set the `subject_token_type` parameter to
// `urn:ietf:params:aws:token-type:aws4_request`. The following
// parameters are required: - **`url`**: The URL of the AWS STS endpoint
// for `GetCallerIdentity()`, such as
// `https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15
// `. Regional endpoints are also supported. - **`method`:** The HTTP
// request method: `POST`. - **`headers`**: The HTTP request headers,
// which must include: - **`Authorization`**: The request signature. -
// **`x-amz-date`**`: The time you will send the request, formatted as
// an [ISO8601
// Basic](https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.ht
// ml#sigv4_elements_date) string. This is typically set to the current
// time, and used to prevent replay attacks. - **`host`**: The hostname
// of the `url` field; for example, `sts.amazonaws.com`. -
// **`x-goog-cloud-target-resource`**: The full, canonical resource name
// of the WorkloadIdentityPoolProvider, with or without the HTTPS
// prefix. For example: “`
// //iam.googleapis.com/projects//locations//workloadIdentityPools//provi
// ders/
// https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ “` Signing this header as part of the signature is recommended to ensure data integrity. If you are using temporary security credentials provided by AWS, you must also include the header `x-amz-security-token`, with the value `[SESSION_TOKEN]`. The following is an example of a signed, serialized request: “` { "headers":[ {"key": "x-amz-date", "value": "20200815T015049Z"}, {"key": "Authorization", "value": "AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$signature"}, {"key": "x-goog-cloud-target-resource", "value": "//iam.googleapis.com/projects//locations//workloadIdentityPools//providers/"}, {"key": "host", "value": "sts.amazonaws.com"} . ], "method":"POST", "url":"https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" } “` You can also use a Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes applied, such as an AccessBoundary. In this case, set `subject_token_type` to `urn:ietf:params:oauth:token-type:access_token`. Applying additional security attributes on access tokens that already contain security attributes is not
// allowed.
SubjectToken string `json:"subjectToken,omitempty"`
// SubjectTokenType: Required. An identifier that indicates the type of
// the security token in the `subject_token` parameter. Supported values
// are `urn:ietf:params:oauth:token-type:jwt`,
// `urn:ietf:params:aws:token-type:aws4_request` and
// `urn:ietf:params:oauth:token-type:access_token`.
SubjectTokenType string `json:"subjectTokenType,omitempty"`
// ForceSendFields is a list of field names (e.g. "Audience") to
// unconditionally include in API requests. By default, fields with
// empty values are omitted from API requests. However, any non-pointer,
// non-interface field appearing in ForceSendFields will be sent to the
// server regardless of whether the field is empty or not. This may be
// used to include empty fields in Patch requests.
ForceSendFields []string `json:"-"`
// NullFields is a list of field names (e.g. "Audience") to include in
// API requests with the JSON null value. By default, fields with empty
// values are omitted from API requests. However, any field with an
// empty value appearing in NullFields will be sent to the server as
// null. It is an error if a field in this list has a non-empty value.
// This may be used to include null fields in Patch requests.
NullFields []string `json:"-"`
}
GoogleIdentityStsV1betaExchangeTokenRequest: Request message for ExchangeToken.
func (*GoogleIdentityStsV1betaExchangeTokenRequest) MarshalJSON ¶
func (s *GoogleIdentityStsV1betaExchangeTokenRequest) MarshalJSON() ([]byte, error)
type GoogleIdentityStsV1betaExchangeTokenResponse ¶
type GoogleIdentityStsV1betaExchangeTokenResponse struct {
// AccessToken: An OAuth 2.0 security token, issued by Google, in
// response to the token exchange request.
AccessToken string `json:"access_token,omitempty"`
// ExpiresIn: The expiration time of `access_token`, in seconds, from
// the time of issuance. This field is absent when the `subject_token`
// in the request is a Google-issued, short-lived access token. In this
// case, the expiration time of the `access_token` is the same as the
// `subject_token`.
ExpiresIn int64 `json:"expires_in,omitempty"`
// IssuedTokenType: The token type. Always matches the value of
// `requested_token_type` from the request.
IssuedTokenType string `json:"issued_token_type,omitempty"`
// TokenType: The type of `access_token`. Always has the value `Bearer`.
TokenType string `json:"token_type,omitempty"`
// ServerResponse contains the HTTP response code and headers from the
// server.
googleapi.ServerResponse `json:"-"`
// ForceSendFields is a list of field names (e.g. "AccessToken") to
// unconditionally include in API requests. By default, fields with
// empty values are omitted from API requests. However, any non-pointer,
// non-interface field appearing in ForceSendFields will be sent to the
// server regardless of whether the field is empty or not. This may be
// used to include empty fields in Patch requests.
ForceSendFields []string `json:"-"`
// NullFields is a list of field names (e.g. "AccessToken") to include
// in API requests with the JSON null value. By default, fields with
// empty values are omitted from API requests. However, any field with
// an empty value appearing in NullFields will be sent to the server as
// null. It is an error if a field in this list has a non-empty value.
// This may be used to include null fields in Patch requests.
NullFields []string `json:"-"`
}
GoogleIdentityStsV1betaExchangeTokenResponse: Response message for ExchangeToken.
func (*GoogleIdentityStsV1betaExchangeTokenResponse) MarshalJSON ¶
func (s *GoogleIdentityStsV1betaExchangeTokenResponse) MarshalJSON() ([]byte, error)
type Service ¶
type Service struct {
BasePath string // API endpoint base URL
UserAgent string // optional additional User-Agent fragment
V1beta *V1betaService
// contains filtered or unexported fields
}
func New
deprecated
New creates a new Service. It uses the provided http.Client for requests.
Deprecated: please use NewService instead. To provide a custom HTTP client, use option.WithHTTPClient. If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead.
func NewService ¶
NewService creates a new Service.
type V1betaService ¶
type V1betaService struct {
// contains filtered or unexported fields
}
func NewV1betaService ¶
func NewV1betaService(s *Service) *V1betaService
func (*V1betaService) Token ¶
func (r *V1betaService) Token(googleidentitystsv1betaexchangetokenrequest *GoogleIdentityStsV1betaExchangeTokenRequest) *V1betaTokenCall
Token: Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a WorkloadIdentityPool, or applies an Access Boundary on a Google access token.
type V1betaTokenCall ¶
type V1betaTokenCall struct {
// contains filtered or unexported fields
}
func (*V1betaTokenCall) Context ¶
func (c *V1betaTokenCall) Context(ctx context.Context) *V1betaTokenCall
Context sets the context to be used in this call's Do method. Any pending HTTP request will be aborted if the provided context is canceled.
func (*V1betaTokenCall) Do ¶
func (c *V1betaTokenCall) Do(opts ...googleapi.CallOption) (*GoogleIdentityStsV1betaExchangeTokenResponse, error)
Do executes the "sts.token" call. Exactly one of *GoogleIdentityStsV1betaExchangeTokenResponse or error will be non-nil. Any non-2xx status code is an error. Response headers are in either *GoogleIdentityStsV1betaExchangeTokenResponse.ServerResponse.Header or (if a response was returned at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check whether the returned error was because http.StatusNotModified was returned.
func (*V1betaTokenCall) Fields ¶
func (c *V1betaTokenCall) Fields(s ...googleapi.Field) *V1betaTokenCall
Fields allows partial responses to be retrieved. See https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more information.
func (*V1betaTokenCall) Header ¶
func (c *V1betaTokenCall) Header() http.Header
Header returns an http.Header that can be modified by the caller to add HTTP headers to the request.
Source Files
Click to show internal directories.
Click to hide internal directories.