Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ImpersonatedTokenSource ¶
func ImpersonatedTokenSource(tokenConfig *ImpersonatedTokenConfig) (oauth2.TokenSource, error)
ImpersonatedTokenSource returns a TokenSource issued to a user or service account to impersonate another. The source project using ImpersonatedTokenSource must enable the "IAMCredentials" API. Also, the target service account must grant the orginating principal the "Service Account Token Creator" IAM role: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role
rootSource (TokenSource): The root TokenSource used as to acquire the target identity TokenSource. rootSource *must* include scopes that contains "https://www.googleapis.com/auth/iam" or "https://www.googleapis.com/auth/cloud.platform" targetPrincipal (string): The service account to impersonate. targetScopes ([]string): Scopes to request during the authorization grant. delegates ([]string): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the preceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. lifetime (time.Duration): Number of seconds the impersonated credential should be valid for (up to 3600). subject (string): Subject fieild used for Gsuites Domain Wide Delegation. Specify this field ONLY if you wish to use Google GSuites Admin SDK and utilize domain wide delegation with impersonated credentials. https://developers.google.com/admin-sdk/directory/v1/guides/delegation
Note that this is not a standard OAuth flow, but rather uses Google Cloud IAMCredentials API to exchange one oauth token for an impersonated account see: https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken
Types ¶
type ImpersonatedTokenConfig ¶
type ImpersonatedTokenConfig struct { RootTokenSource oauth2.TokenSource TargetPrincipal string Lifetime time.Duration Delegates []string TargetScopes []string Subject string }
ImpersonatedTokenConfig prameters to start Credential impersonation exchange.