Documentation ¶
Index ¶
Constants ¶
View Source
const ( TOKEN_INFO_ENDPOINT = "https://www.googleapis.com/oauth2/v3/tokeninfo" IDENTITY_BINDING_ENDPOINT = "https://sts.googleapis.com/v1beta/token" )
Variables ¶
This section is empty.
Functions ¶
func DownScopedTokenSource ¶
func DownScopedTokenSource(tokenConfig *DownScopedTokenConfig) (oauth2.TokenSource, error)
DownScopedTokenSource returns a reduced capability Google Cloud TokenSource derived a higher privileged TokenSource.
Use this TokenSource to limit the resources a credential can access on GCP. For example, if a given TokenSource can access GCS buckets A and B, a DownScopedTokenSource derived from the root would represent the _same_ user but IAM permissions are restricted to bucket A or even more specifically to bucket+object (bucketA/objectC.txt).
For more information, see: https://github.com/salrashid123/downscoped_token RootTokenSource (string): The root token to derive the restricted one from DownScopedTokenConfig ([]AccessBoundaryRule): List of AccessBoundary structures defining the what restriction policies to apply on a resource. In the following, the token that is returned will only be valid to as an objectViewer on bucketA { "accessBoundary": { "accessBoundaryRules" : [ { "availableResource" : "//storage.googleapis.com/projects/_/buckets/bucketA", "availablePermissions": ["inRole:roles/storage.objectViewer"], "availabilityCondition" : { "title" : "obj-prefixes", "expression" : "resource.name.startsWith(\"projects/_/buckets/bucketA/objects/objectC.txt\")" } } ] } }
Types ¶
type AccessBoundary ¶
type AccessBoundary struct {
AccessBoundaryRules []AccessBoundaryRule `json:"accessBoundaryRules"`
}
type AccessBoundaryRule ¶
type AccessBoundaryRule struct { AvailableResource string `json:"availableResource"` AvailablePermissions []string `json:"availablePermissions"` AvailabilityCondition *AvailabilityCondition `json:"availabilityCondition,omitempty"` }
type AvailabilityCondition ¶
type DownScopedTokenConfig ¶
type DownScopedTokenConfig struct { RootTokenSource oauth2.TokenSource DownscopedOptions DownscopedOptions }
type DownScopedTokenResponse ¶
type DownscopedOptions ¶
type DownscopedOptions struct {
AccessBoundary AccessBoundary `json:"accessBoundary"`
}
Click to show internal directories.
Click to hide internal directories.