impersonate

package

v0.0.0-...-e2e270a Latest Latest Go to latest Published: Feb 18, 2021 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/flynn/hubauth

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func TokenSource(ctx context.Context, c *TokenConfig) (oauth2.TokenSource, error)
type TokenConfig

Constants ¶

View Source

const (
	MaxTokenLifetime = 3600 * time.Second
)

Variables ¶

View Source

var (
	ErrNilRootSource   = errors.New("impersonate: rootSource cannot be nil")
	ErrInvalidLifetime = errors.New("impersonate: lifetime must be less than or equal to 3600 seconds")
)

Functions ¶

func TokenSource ¶

func TokenSource(ctx context.Context, c *TokenConfig) (oauth2.TokenSource, error)

TokenSource returns a TokenSource issued to a user or service account to impersonate another. The source project using must enable the iamcredentials.googleapis.com API. Also, the target service account must grant the orginating principal the "Service Account Token Creator" IAM role: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role

Note that this is not a standard OAuth flow, but rather uses Google Cloud IAMCredentials API to exchange one oauth token for an impersonated account see: https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken

Types ¶

type TokenConfig ¶

type TokenConfig struct {
	// TokenSource is used to acquire the target identity TokenSource. It *must*
	// include the scopes "https://www.googleapis.com/auth/iam" or
	// "https://www.googleapis.com/auth/cloud.platform"
	TokenSource oauth2.TokenSource

	// TargetPrincipal is the service account to impersonate.
	TargetPrincipal string

	// Lifetime is the number of seconds the impersonated credential should be
	// valid for (up to 3600).
	Lifetime time.Duration

	// Delegates is a chain of delegates required to grant the final
	// access_token. If set, the sequence of identities must have "Service
	// Account Token Creator" capability granted to the preceeding identity. For
	// example, if set to [serviceAccountB, serviceAccountC], the TokenSource
	// must have the Token Creator role on serviceAccountB. serviceAccountB must
	// have the Token Creator on serviceAccountC. Finally, C must have Token
	// Creator on TokenPrincipal. If left unset, TokenSource must have that
	// role on TargetPrincipal.
	Delegates []string

	// TargetScopes are the scopes to request during the authorization grant.
	TargetScopes []string

	// Subject is the subject used for G Suite Domain Wide Delegation. Specify
	// this field only if you wish to use G Suite Admin SDK and utilize domain
	// wide delegation with impersonated credentials.
	// https://developers.google.com/admin-sdk/directory/v1/guides/delegation
	Subject string
}

Source Files ¶

View all Source files

impersonate.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL