Documentation ¶
Overview ¶
Package google contains methods specific for Google Cloud Platform.
Index ¶
- Constants
- func FetchMetadataIDToken(aud string, account string) (string, error)
- func GetSignedURL(bucket, name, serviceAccountEmail, method string, expires time.Time, ...) (string, error)
- func MustNewVerifier(ctx context.Context, aud string) *cloudidentity.IDTokenVerifier
- func NewVerifier(ctx context.Context, aud string) (*cloudidentity.IDTokenVerifier, error)
- func SignBytes(bytes []byte, serviceAccount string) (string, string, error)
Examples ¶
Constants ¶
const (
// DefaultAccount is the constant for the default service account
DefaultAccount = "default"
)
Variables ¶
This section is empty.
Functions ¶
func FetchMetadataIDToken ¶
FetchMetadataIDToken retrieves your current identity from the GCE metadata server. It is available for Google Compute Engine, Google AppEngine standard second generation runtimes and Google AppEngine flexible. Parameter aud should contain a free-form string (usually an url) that indicates the target audience (receiver) of the request that the id token is used to authenticate to. Parameter account should indicate the service account identifier to use; use empty string or google.DefaultAccount for default account.
Example ¶
aud := "https://myapp/myservice" // Free-form string identity, err := FetchMetadataIDToken(aud, "") if err != nil { log.Fatalf("got error: %v", err) return } log.Printf("Got identity token: %v", identity)
Output: Got identity token: <token>
func GetSignedURL ¶
func GetSignedURL(bucket, name, serviceAccountEmail, method string, expires time.Time, signBytes func(payload []byte) ([]byte, error)) (string, error)
GetSignedURL returns a signed URL to access a Google Cloud Storage resource. The parameter bucket is the bucket name. The parameter method indicates the HTTP method (eg. "GET") to allow access to. The parameter serviceAccountEmail must hold the email value of the service account used for signing the URL - you could use `metadata.Email()` to retrieve this value for a service account. The signBytes parameter is a function that takes care of the signing. One way to implement it is using this library:
saEmail, _ := metadata.Email(google.DefaultAccount) name := "path/to/my/file" signBytes := func(payload []byte) ([]byte, error) { return google.SignBytes(payload, "", saEmail) } expires := time.Now().Add(time.Minute * 60) signedURL, _ := google.GetSignedURL("bucket1", name, saEmail, "GET", expires, signBytes)
This method does network I/O and could introduce latency.
Example ¶
saEmail, _ := metadata.Email(google.DefaultAccount) name := "path/to/my/file" signBytes := func(payload []byte) ([]byte, error) { return google.SignBytes(payload, "", saEmail) } expires := time.Now().Add(time.Minute * 60) signedURL, _ := google.GetSignedURL("bucket1", name, saEmail, "GET", expires, signBytes) log.Printf("Got signed URL: %v", signedURL)
Output:
func MustNewVerifier ¶
func MustNewVerifier(ctx context.Context, aud string) *cloudidentity.IDTokenVerifier
MustNewVerifier creates a new IDTokenVerifier that uses Google's issuer URL. Panics on errors.
func NewVerifier ¶
func NewVerifier(ctx context.Context, aud string) (*cloudidentity.IDTokenVerifier, error)
NewVerifier creates a new IDTokenVerifier that uses Google's issuer URL.
func SignBytes ¶
SignBytes signs the given bytes using the given service account. Specify `google.DefaultAccount` as serviceAccount parameter to use the default account. You may specify "-" or empty string ("") for the projectID parameter to use the current project's ID. This method does network I/O and could introduce latency. Returns the signature string and the Key ID used to sign. For further info about how to verify the signature, see: https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob
Types ¶
This section is empty.