externalaccount

package
v0.0.0-...-6fa9280 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 8, 2023 License: BSD-3-Clause Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CreateExecutableCredential

func CreateExecutableCredential(ctx context.Context, ec *ExecutableConfig, config *Config) (executableCredentialSource, error)

CreateExecutableCredential creates an executableCredentialSource given an ExecutableConfig. It also performs defaulting and type conversions.

Types

type Config

type Config struct {
	// Audience is the Secure Token Service (STS) audience which contains the resource name for the workload
	// identity pool or the workforce pool and the provider identifier in that pool.
	Audience string
	// SubjectTokenType is the STS token type based on the Oauth2.0 token exchange spec
	// e.g. `urn:ietf:params:oauth:token-type:jwt`.
	SubjectTokenType string
	// TokenURL is the STS token exchange endpoint.
	TokenURL string
	// TokenInfoURL is the token_info endpoint used to retrieve the account related information (
	// user attributes like account identifier, eg. email, username, uid, etc). This is
	// needed for gCloud session account identification.
	TokenInfoURL string
	// ServiceAccountImpersonationURL is the URL for the service account impersonation request. This is only
	// required for workload identity pools when APIs to be accessed have not integrated with UberMint.
	ServiceAccountImpersonationURL string
	// ServiceAccountImpersonationLifetimeSeconds is the number of seconds the service account impersonation
	// token will be valid for.
	ServiceAccountImpersonationLifetimeSeconds int
	// ClientSecret is currently only required if token_info endpoint also
	// needs to be called with the generated GCP access token. When provided, STS will be
	// called with additional basic authentication using client_id as username and client_secret as password.
	ClientSecret string
	// ClientID is only required in conjunction with ClientSecret, as described above.
	ClientID string
	// CredentialSource contains the necessary information to retrieve the token itself, as well
	// as some environmental information.
	CredentialSource CredentialSource
	// QuotaProjectID is injected by gCloud. If the value is non-empty, the Auth libraries
	// will set the x-goog-user-project which overrides the project associated with the credentials.
	QuotaProjectID string
	// Scopes contains the desired scopes for the returned access token.
	Scopes []string
	// The optional workforce pool user project number when the credential
	// corresponds to a workforce pool and not a workload identity pool.
	// The underlying principal must still have serviceusage.services.use IAM
	// permission to use the project for billing/quota.
	WorkforcePoolUserProject string
}

Config stores the configuration for fetching tokens with external credentials.

func (*Config) TokenSource

func (c *Config) TokenSource(ctx context.Context) (oauth2.TokenSource, error)

TokenSource Returns an external account TokenSource struct. This is to be called by package google to construct a google.Credentials.

type CredentialSource

type CredentialSource struct {
	File string `json:"file"`

	URL     string            `json:"url"`
	Headers map[string]string `json:"headers"`

	Executable *ExecutableConfig `json:"executable"`

	EnvironmentID               string `json:"environment_id"`
	RegionURL                   string `json:"region_url"`
	RegionalCredVerificationURL string `json:"regional_cred_verification_url"`
	CredVerificationURL         string `json:"cred_verification_url"`
	IMDSv2SessionTokenURL       string `json:"imdsv2_session_token_url"`
	Format                      format `json:"format"`
}

CredentialSource stores the information necessary to retrieve the credentials for the STS exchange. One field amongst File, URL, and Executable should be filled, depending on the kind of credential in question. The EnvironmentID should start with AWS if being used for an AWS credential.

type Error

type Error struct {
	Code        string
	URI         string
	Description string
}

Error for handling OAuth related error responses as stated in rfc6749#5.2.

func (*Error) Error

func (err *Error) Error() string

type ExecutableConfig

type ExecutableConfig struct {
	Command       string `json:"command"`
	TimeoutMillis *int   `json:"timeout_millis"`
	OutputFile    string `json:"output_file"`
}

type ImpersonateTokenSource

type ImpersonateTokenSource struct {
	// Ctx is the execution context of the impersonation process
	// used to perform http call to the URL. Required
	Ctx context.Context
	// Ts is the source credential used to generate a token on the
	// impersonated service account. Required.
	Ts oauth2.TokenSource

	// URL is the endpoint to call to generate a token
	// on behalf the service account. Required.
	URL string
	// Scopes that the impersonated credential should have. Required.
	Scopes []string
	// Delegates are the service account email addresses in a delegation chain.
	// Each service account must be granted roles/iam.serviceAccountTokenCreator
	// on the next service account in the chain. Optional.
	Delegates []string
	// TokenLifetimeSeconds is the number of seconds the impersonation token will
	// be valid for.
	TokenLifetimeSeconds int
}

ImpersonateTokenSource uses a source credential, stored in Ts, to request an access token to the provided URL. Scopes can be defined when the access token is requested.

func (ImpersonateTokenSource) Token

func (its ImpersonateTokenSource) Token() (*oauth2.Token, error)

Token performs the exchange to get a temporary service account token to allow access to GCP.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL