externalaccount

package

v0.0.0-...-113175e Latest Latest Go to latest Published: Jan 17, 2022 License: BSD-3-Clause Imports: 21 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/BlancLoup/oauth2

Links

Open Source Insights

Documentation ¶

Index ¶

type Config
- func (c *Config) TokenSource(ctx context.Context) (oauth2.TokenSource, error)
type CredentialSource
type Error
- func (err *Error) Error() string
type ImpersonateTokenSource
- func (its ImpersonateTokenSource) Token() (*oauth2.Token, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Config ¶

type Config struct {
	// Audience is the Secure Token Service (STS) audience which contains the resource name for the workload
	// identity pool or the workforce pool and the provider identifier in that pool.
	Audience string
	// SubjectTokenType is the STS token type based on the Oauth2.0 token exchange spec
	// e.g. `urn:ietf:params:oauth:token-type:jwt`.
	SubjectTokenType string
	// TokenURL is the STS token exchange endpoint.
	TokenURL string
	// TokenInfoURL is the token_info endpoint used to retrieve the account related information (
	// user attributes like account identifier, eg. email, username, uid, etc). This is
	// needed for gCloud session account identification.
	TokenInfoURL string
	// ServiceAccountImpersonationURL is the URL for the service account impersonation request. This is only
	// required for workload identity pools when APIs to be accessed have not integrated with UberMint.
	ServiceAccountImpersonationURL string
	// ClientSecret is currently only required if token_info endpoint also
	// needs to be called with the generated GCP access token. When provided, STS will be
	// called with additional basic authentication using client_id as username and client_secret as password.
	ClientSecret string
	// ClientID is only required in conjunction with ClientSecret, as described above.
	ClientID string
	// CredentialSource contains the necessary information to retrieve the token itself, as well
	// as some environmental information.
	CredentialSource CredentialSource
	// QuotaProjectID is injected by gCloud. If the value is non-empty, the Auth libraries
	// will set the x-goog-user-project which overrides the project associated with the credentials.
	QuotaProjectID string
	// Scopes contains the desired scopes for the returned access token.
	Scopes []string
	// The optional workforce pool user project number when the credential
	// corresponds to a workforce pool and not a workload identity pool.
	// The underlying principal must still have serviceusage.services.use IAM
	// permission to use the project for billing/quota.
	WorkforcePoolUserProject string
}

Config stores the configuration for fetching tokens with external credentials.

func (*Config) TokenSource ¶

func (c *Config) TokenSource(ctx context.Context) (oauth2.TokenSource, error)

TokenSource Returns an external account TokenSource struct. This is to be called by package google to construct a google.Credentials.

type CredentialSource ¶

type CredentialSource struct {
	File string `json:"file"`

	URL     string            `json:"url"`
	Headers map[string]string `json:"headers"`

	EnvironmentID               string `json:"environment_id"`
	RegionURL                   string `json:"region_url"`
	RegionalCredVerificationURL string `json:"regional_cred_verification_url"`
	CredVerificationURL         string `json:"cred_verification_url"`
	Format                      format `json:"format"`
}

CredentialSource stores the information necessary to retrieve the credentials for the STS exchange. Either the File or the URL field should be filled, depending on the kind of credential in question. The EnvironmentID should start with AWS if being used for an AWS credential.

type Error ¶

type Error struct {
	Code        string
	URI         string
	Description string
}

Error for handling OAuth related error responses as stated in rfc6749#5.2.

func (*Error) Error ¶

func (err *Error) Error() string

type ImpersonateTokenSource ¶

type ImpersonateTokenSource struct {
	// Ctx is the execution context of the impersonation process
	// used to perform http call to the URL. Required
	Ctx context.Context
	// Ts is the source credential used to generate a token on the
	// impersonated service account. Required.
	Ts oauth2.TokenSource

	// URL is the endpoint to call to generate a token
	// on behalf the service account. Required.
	URL string
	// Scopes that the impersonated credential should have. Required.
	Scopes []string
	// Delegates are the service account email addresses in a delegation chain.
	// Each service account must be granted roles/iam.serviceAccountTokenCreator
	// on the next service account in the chain. Optional.
	Delegates []string
}

ImpersonateTokenSource uses a source credential, stored in Ts, to request an access token to the provided URL. Scopes can be defined when the access token is requested.

func (ImpersonateTokenSource) Token ¶

func (its ImpersonateTokenSource) Token() (*oauth2.Token, error)

Token performs the exchange to get a temporary service account token to allow access to GCP.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL