Documentation
¶
Index ¶
- Constants
- func AWSTokenSource(tokenConfig *AwsTokenConfig) (oauth2.TokenSource, error)
- func DownScopedTokenSource(tokenConfig *DownScopedTokenConfig) (oauth2.TokenSource, error)
- func ExternalTokenSource(tokenConfig *ExternalTokenConfig) (oauth2.TokenSource, error)
- func IdTokenSource(tokenConfig *IdTokenConfig) (oauth2.TokenSource, error)
- func ImpersonatedTokenSource(tokenConfig *ImpersonatedTokenConfig) (oauth2.TokenSource, error)
- func KmsTokenSource(tokenConfig *KmsTokenConfig) (oauth2.TokenSource, error)
- func NewIDTokenRPCCredential(ctx context.Context, tokenSource oauth2.TokenSource) (credentials.PerRPCCredentials, error)
- func OIDCFederatedTokenSource(tokenConfig *OIDCFederatedTokenConfig) (oauth2.TokenSource, error)
- func TpmTokenSource(tokenConfig *TpmTokenConfig) (oauth2.TokenSource, error)
- func VaultTokenSource(tokenConfig *VaultTokenConfig) (oauth2.TokenSource, error)
- func VerifyGoogleIDToken(ctx context.Context, token string, aud string) (*oidc.IDToken, error)
- type AccessBoundary
- type AccessBoundaryRule
- type AvailabilityCondition
- type AwsTokenConfig
- type DownScopedTokenConfig
- type DownScopedTokenResponse
- type DownscopedOptions
- type ExternalTokenConfig
- type ExternalTokenResponse
- type GCEExtension
- type IAMExtension
- type IdTokenConfig
- type ImpersonatedTokenConfig
- type KmsTokenConfig
- type OIDCFederatedTokenConfig
- type TokenSource
- type TpmTokenConfig
- type VaultTokenConfig
Constants ¶
const ( GCP_STS_ENDPOINT = "https://sts.googleapis.com/v1beta/token" AWS_STS_ENDPOINT = "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" GCP_CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform" )
const ( TOKEN_INFO_ENDPOINT = "https://www.googleapis.com/oauth2/v3/tokeninfo" IDENTITY_BINDING_ENDPOINT = "https://sts.googleapis.com/v1beta/token" )
const ( GCP_OIDC_STS_ENDPOINT = "https://sts.googleapis.com/v1beta/token" GCP_OIDC_CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform" )
const (
CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform"
)
const (
GCEFullFormat = "full"
)
Variables ¶
This section is empty.
Functions ¶
func AWSTokenSource ¶
func AWSTokenSource(tokenConfig *AwsTokenConfig) (oauth2.TokenSource, error)
func DownScopedTokenSource ¶
func DownScopedTokenSource(tokenConfig *DownScopedTokenConfig) (oauth2.TokenSource, error)
DownScopedTokenSource returns a reduced capability Google Cloud TokenSource derived a higher privileged TokenSource.
Use this TokenSource to limit the resources a credential can access on GCP. For example, if a given TokenSource can access GCS buckets A and B, a DownScopedTokenSource derived from the root would represent the _same_ user but IAM permissions are restricted to bucket A or even more specifically to bucket+object (bucketA/objectC.txt).
For more information, see: https://github.com/salrashid123/downscoped_token
RootTokenSource (string): The root token to derive the restricted one from
DownScopedTokenConfig ([]AccessBoundaryRule): List of AccessBoundary structures defining the
what restriction policies to apply on a resource. In the following, the token that is returned
will only be valid to as an objectViewer on bucketA
{
"accessBoundary": {
"accessBoundaryRules" : [
{
"availableResource" : "//storage.googleapis.com/projects/_/buckets/bucketA",
"availablePermissions": ["inRole:roles/storage.objectViewer"],
"availabilityCondition" : {
"title" : "obj-prefixes",
"expression" : "resource.name.startsWith(\"projects/_/buckets/bucketA/objects/objectC.txt\")"
}
}
]
}
}
func ExternalTokenSource ¶
func ExternalTokenSource(tokenConfig *ExternalTokenConfig) (oauth2.TokenSource, error)
func IdTokenSource ¶
func IdTokenSource(tokenConfig *IdTokenConfig) (oauth2.TokenSource, error)
IdTokenSource returns a TokenSource which returns a GoogleOIDC token
tokenConfig (IdTokenConfig): The root Credential object which will
be used to generate the IDToken.
https://medium.com/google-cloud/authenticating-using-google-openid-connect-tokens-e7675051213b
func ImpersonatedTokenSource ¶
func ImpersonatedTokenSource(tokenConfig *ImpersonatedTokenConfig) (oauth2.TokenSource, error)
ImpersonatedTokenSource returns a TokenSource issued to a user or service account to impersonate another. The source project using ImpersonatedTokenSource must enable the "IAMCredentials" API. Also, the target service account must grant the orginating principal the "Service Account Token Creator" IAM role: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role
rootSource (TokenSource): The root TokenSource used as to acquire the target identity TokenSource. rootSource *must* include scopes that contains "https://www.googleapis.com/auth/iam" or "https://www.googleapis.com/auth/cloud.platform" targetPrincipal (string): The service account to impersonate. targetScopes ([]string): Scopes to request during the authorization grant. delegates ([]string): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the preceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. lifetime (time.Duration): Number of seconds the impersonated credential should be valid for (up to 3600). subject (string): Subject fieild used for Gsuites Domain Wide Delegation. Specify this field ONLY if you wish to use Google GSuites Admin SDK and utilize domain wide delegation with impersonated credentials. https://developers.google.com/admin-sdk/directory/v1/guides/delegation
Note that this is not a standard OAuth flow, but rather uses Google Cloud IAMCredentials API to exchange one oauth token for an impersonated account see: https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken
func KmsTokenSource ¶
func KmsTokenSource(tokenConfig *KmsTokenConfig) (oauth2.TokenSource, error)
KmsTokenSource returns a TokenSource for a ServiceAccount where the privateKey is sealed within Google Cloud KMS The TokenSource uses the KMS to sign a JWT representing an JWTAccessTokenCredential or a regular oauh2 access_token. for more information on JWTAccesTokens, see https://developers.google.com/identity/protocols/OAuth2ServiceAccount#jwt-auth
This TokenSource will only work if the KMS's key is linked with a Google Cloud Service Account. To do that, first generate a public/private keypair either directly on KMS (preferred) or using your own CA. Then import the the privateKey into KMS If you generate the key outside KMS, you must import the public part into GCP and associate it: https://cloud.google.com/iam/docs/creating-managing-service-account-keys#uploading
Email (string): The service account to get the token for.
Audience (string): The audience representing the service the token is valid for.
The audience must match the name of the Service the token is intended for. See
documentation links above. This field is optional if UseOauthToken
is true.
(eg. https://pubsub.googleapis.com/google.pubsub.v1.Publisher)
KeyID (string): The keyID for the ServiceAccount key. This field is optional but recomended if
UseOauthTOken is false
Find the keyId associated with the service account by running:
`gcloud iam service-accounts keys list --iam-account=<email>``
KeyRing (string): The keyRing where the key is saved on KMS
LocationId (string): The location for the keyring
Key (string): Name of the key
ProjectId (string): ProjectID of the KMS keyring.
UseOauthToken (bool): Use oauth2 access_token (true) or JWTAccessToken (false)
func NewIDTokenRPCCredential ¶
func NewIDTokenRPCCredential(ctx context.Context, tokenSource oauth2.TokenSource) (credentials.PerRPCCredentials, error)
NewIDTokenRPCCredential returns a crdential object for use with gRPC clients
func OIDCFederatedTokenSource ¶
func OIDCFederatedTokenSource(tokenConfig *OIDCFederatedTokenConfig) (oauth2.TokenSource, error)
func TpmTokenSource ¶
func TpmTokenSource(tokenConfig *TpmTokenConfig) (oauth2.TokenSource, error)
TpmTokenSource returns a TokenSource for a ServiceAccount where the privateKey is sealed within a Trusted Platform Module (TPM) The TokenSource uses the TPM to sign a JWT representing an AccessTokenCredential.
This TpmTokenSource will only work on platforms where the PrivateKey for the Service Account is already loaded on the TPM previously and available via Persistent Handle.
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#jwt-auth https://medium.com/google-cloud/faster-serviceaccount-authentication-for-google-cloud-platform-apis-f1355abc14b2 https://godoc.org/golang.org/x/oauth2/google#JWTAccessTokenSourceFromJSON https://github.com/tpm2-software/tpm2-tools/wiki/Duplicating-Objects
Tpm (string): The device Handle for the TPM (eg. "/dev/tpm0")
Email (string): The service account to get the token for.
Audience (string): The audience representing the service the token is valid for.
The audience must match the name of the Service the token is intended for. See
documentation links above.
(eg. https://pubsub.googleapis.com/google.pubsub.v1.Publisher)
TpmHandle (uint32): The persistent Handle representing the sealed keypair.
This must be set prior to using this library. Specify either tpmHandle or keyhandlefile
KeyHandleFile (string): The file that holds the handle to the RSA Key to use.
This file must be generated by go-tpm-tools a saved context of type `(*tpm2tools.Key).Handle()`
Specify either tpmHandle or keyhandlefile
KeyId (string): (optional) The private KeyID for the service account key saved to the TPM.
This field is optional but recomended if UseOauthTOken is false
Find the keyId associated with the service account by running:
`gcloud iam service-accounts keys list --iam-account=<email>``
UseOauthToken (bool): Use oauth2 access_token (true) or JWTAccessToken (false)
func VaultTokenSource ¶
func VaultTokenSource(tokenConfig *VaultTokenConfig) (oauth2.TokenSource, error)
VaultTokenSource returns a Google Cloud TokenSource derived from a HashiCorp Vault TOKEN
Use this TokenSource to derive a Google Cloud Credential from a HashiCorp Vault Token. You must configure a Vault policy the VAULT_TOKEN that returns a GCP access_token: https://www.vaultproject.io/docs/secrets/gcp/index.html#access-tokens
VaultToken (string): The VAULT_TOKEN capable of deriving a GCP access_token. VaultPath (string): Vault gcp secrets policy endpoint. (eg "gcp/token/my-token-roleset") VaultCAcert (string): The root CA Certificate for the Vault Server's endpoint VaultAddr (string): Hostname/Address URI for the vault server (https://your_vault.server:8200/)
func VerifyGoogleIDToken ¶
VerifyGoogleIDToken verifies the IdToken for expiration, signature against Google's certificates
and the audience it should be issued to
returns false if unverified
TODO: return struct to allow inspection of the actual claims, not just true/false of the
signature+expiration+audience
Types ¶
type AccessBoundary ¶
type AccessBoundary struct {
AccessBoundaryRules []AccessBoundaryRule `json:"accessBoundaryRules"`
}
type AccessBoundaryRule ¶
type AccessBoundaryRule struct {
AvailableResource string `json:"availableResource"`
AvailablePermissions []string `json:"availablePermissions"`
AvailabilityCondition AvailabilityCondition `json:"availabilityCondition,omitempty"`
}
type AvailabilityCondition ¶
type AwsTokenConfig ¶
type DownScopedTokenConfig ¶
type DownScopedTokenConfig struct {
RootTokenSource oauth2.TokenSource
DownscopedOptions DownscopedOptions
}
type DownScopedTokenResponse ¶
type DownscopedOptions ¶
type DownscopedOptions struct {
AccessBoundary AccessBoundary `json:"accessBoundary"`
}
type ExternalTokenConfig ¶
type ExternalTokenResponse ¶
type ExternalTokenResponse struct {
Token string `json:"token"`
TokenType string `json:"token_type,omitempty"`
ExpiresIn int `json:"expires_in,omitempty"`
}
https://github.com/golang/oauth2/blob/master/internal/token.go#L33
type GCEExtension ¶
type IAMExtension ¶
type IAMExtension struct {
IncludeEmail bool
}
type IdTokenConfig ¶
type IdTokenConfig struct {
Credentials *google.Credentials
Audiences []string
GCEExtension GCEExtension
IAMExtension IAMExtension
}
IdTokeConfig parameters to initialize IdTokenSource
Audience and Credential fields are both required.
type ImpersonatedTokenConfig ¶
type ImpersonatedTokenConfig struct {
RootTokenSource oauth2.TokenSource
TargetPrincipal string
Lifetime time.Duration
Delegates []string
TargetScopes []string
Subject string
}
ImpersonatedTokenConfig prameters to start Credential impersonation exchange.
type KmsTokenConfig ¶
type KmsTokenConfig struct {
Email string
Audience string
ProjectId string
LocationId string
KeyRing string
Key string
KeyID string
KeyVersion string
UseOauthToken bool
}
KmsTokenConfig parameters to start Credential based off of a KMS-based Private Key.
type TokenSource ¶
type TokenSource struct {
oauth2.TokenSource
}
TokenSource here is used to initlaize gRPC Credentials START Section for PerRPCCredentials
func (TokenSource) GetRequestMetadata ¶
func (ts TokenSource) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
GetRequestMetadata gets the request metadata as a map from a TokenSource.
func (TokenSource) RequireTransportSecurity ¶
func (ts TokenSource) RequireTransportSecurity() bool
RequireTransportSecurity indicates whether the credentials requires transport security.
Source Files