README
¶
Documentation
¶
Overview ¶
Package dwd exposes primitives for GSuite domain-wide delegation within Google's cloud platform without downloaded JSON service account keys.
Domain-wide delegation usually requires a JSON service account key with a custom JWT subject. If a downloaded key is undesirable or impossible, such as on Google's App Engine, this package allows a service account to pivot to a delegated credential via a sign jwt.
Domain-wide authority must be delegated to a service account: https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account
That service account must have roles/iam.serviceAccountTokenCreator on itself: (this is not default) https://cloud.google.com/iam/docs/understanding-service-accounts#directly_impersonating_a_service_account
Once setup, the TokenSource can be embedded into an admin.Service, via option.WithTokenSource: (see Example for import statements)
ctx := context.Background() ts := TokenSource( ctx, "user@example.com", // User must be a GSuite admin. admin.AdminDirectoryUserScope, ) a, err := admin.NewService(ctx, option.WithTokenSource(ts))
This is an updated version of github.com/iamacarpet/go-gae-dwd-tokensource that can run anywhere in Google's cloud platform.
BUG: Service account delegation chains are not supported.
Example ¶
ctx := context.Background()
ts := TokenSource(
ctx,
"user@example.com", // User must be a GSuite admin.
admin.AdminDirectoryUserScope,
)
a, err := admin.NewService(ctx, option.WithTokenSource(ts))
if err != nil {
// handle err
}
_, err = a.Users.List().Do()
if err != nil {
// handle err
}
Output:
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func TokenSource ¶
TokenSource generates a delegated, cached oauth2.TokenSource for the provided subject and scopes.
Delegation is implemented via SignJwt, and caching via oauth2.ReuseTokenSource.
Types ¶
This section is empty.
Source Files