Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ExtractServiceAccountEmail ¶ added in v0.17.0
ExtractServiceAccountEmail extracts the service account email from the impersonation URL. The impersonation URL is expected to be in the format: https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}:generateAccessToken or https://iamcredentials.googleapis.com/v1/projects/{PROJECT_ID}/serviceAccounts/{SERVICE_ACCOUNT_EMAIL}:generateAccessToken Returns an error if the email cannot be extracted.
func NewTokenProvider ¶
func NewTokenProvider(opts *Options) (auth.TokenProvider, error)
NewTokenProvider uses a source credential, stored in Ts, to request an access token to the provided URL. Scopes can be defined when the access token is requested.
Types ¶
type GenerateIDTokenRequest ¶ added in v0.14.0
type GenerateIDTokenRequest struct {
Audience string `json:"audience"`
IncludeEmail bool `json:"includeEmail"`
// Delegates are the ordered, fully-qualified resource name for service
// accounts in a delegation chain. Each service account must be granted
// roles/iam.serviceAccountTokenCreator on the next service account in the
// chain. The delegates must have the following format:
// projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard
// character is required; replacing it with a project ID is invalid.
// Optional.
Delegates []string `json:"delegates,omitempty"`
}
GenerateIDTokenRequest holds the request to the IAM generateIdToken RPC.
type GenerateIDTokenResponse ¶ added in v0.14.0
type GenerateIDTokenResponse struct {
Token string `json:"token"`
}
GenerateIDTokenResponse holds the response from the IAM generateIdToken RPC.
type IDTokenIAMOptions ¶ added in v0.14.0
type IDTokenIAMOptions struct {
// Client is required.
Client *http.Client
// Logger is required.
Logger *slog.Logger
UniverseDomain auth.CredentialsPropertyProvider
ServiceAccountEmail string
GenerateIDTokenRequest
}
IDTokenIAMOptions provides configuration for IDTokenIAMOptions.Token.
func (IDTokenIAMOptions) Token ¶ added in v0.14.0
Token call IAM generateIdToken with the configuration provided in IDTokenIAMOptions.
type Options ¶
type Options struct {
// Tp is the source credential used to generate a token on the
// impersonated service account. Required.
Tp auth.TokenProvider
// URL is the endpoint to call to generate a token
// on behalf of the service account. Required.
URL string
// Scopes that the impersonated credential should have. Required.
Scopes []string
// Delegates are the service account email addresses in a delegation chain.
// Each service account must be granted roles/iam.serviceAccountTokenCreator
// on the next service account in the chain. Optional.
Delegates []string
// TokenLifetimeSeconds is the number of seconds the impersonation token will
// be valid for. Defaults to 1 hour if unset. Optional.
TokenLifetimeSeconds int
// Client configures the underlying client used to make network requests
// when fetching tokens. Required.
Client *http.Client
// Logger is used for debug logging. If provided, logging will be enabled
// at the loggers configured level. By default logging is disabled unless
// enabled by setting GOOGLE_SDK_GO_LOGGING_LEVEL in which case a default
// logger will be used. Optional.
Logger *slog.Logger
// UniverseDomain is the default service domain for a given Cloud universe.
UniverseDomain string
}
Options for NewTokenProvider.
Source Files