Documentation
¶
Index ¶
Constants ¶
const (
CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform"
)
Variables ¶
This section is empty.
Functions ¶
func KmsTokenSource ¶
func KmsTokenSource(tokenConfig *KmsTokenConfig) (oauth2.TokenSource, error)
KmsTokenSource returns a TokenSource for a ServiceAccount where the privateKey is sealed within Google Cloud KMS The TokenSource uses the KMS to sign a JWT representing an JWTAccessTokenCredential or a regular oauh2 access_token. for more information on JWTAccesTokens, see https://developers.google.com/identity/protocols/OAuth2ServiceAccount#jwt-auth
This TokenSource will only work if the KMS's key is linked with a Google Cloud Service Account. To do that, first generate a public/private keypair either directly on KMS (preferred) or using your own CA. Then import the the privateKey into KMS If you generate the key outside KMS, you must import the public part into GCP and associate it: https://cloud.google.com/iam/docs/creating-managing-service-account-keys#uploading
Email (string): The service account to get the token for.
Audience (string): The audience representing the service the token is valid for.
The audience must match the name of the Service the token is intended for. See
documentation links above. This field is optional if UseOauthToken
is true.
(eg. https://pubsub.googleapis.com/google.pubsub.v1.Publisher)
KeyID (string): The keyID for the ServiceAccount key. This field is optional but recomended if
UseOauthTOken is false
Find the keyId associated with the service account by running:
`gcloud iam service-accounts keys list --iam-account=<email>``
KeyRing (string): The keyRing where the key is saved on KMS
LocationId (string): The location for the keyring
Key (string): Name of the key
ProjectId (string): ProjectID of the KMS keyring.
UseOauthToken (bool): Use oauth2 access_token (true) or JWTAccessToken (false)
Source Files