Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func YubiKeyTokenSource ¶
func YubiKeyTokenSource(tokenConfig *YubiKeyTokenConfig) (oauth2.TokenSource, error)
YubiKeyTokenConfig returns a TokenSource for a ServiceAccount where the privateKey is sealed within a YubiKey PIV's Signing Slot (9c) The TokenSource uses the Yubikey to sign a JWT representing an AccessTokenCredential.
This TokenSource will only create a token while a YubiKey holding the private keys for a Service Account is inserted.
https://developers.yubico.com/PIV/Introduction/YubiKey_and_PIV.html https://developers.google.com/identity/protocols/OAuth2ServiceAccount#jwt-auth https://medium.com/google-cloud/faster-serviceaccount-authentication-for-google-cloud-platform-apis-f1355abc14b2 https://godoc.org/golang.org/x/oauth2/google#JWTAccessTokenSourceFromJSON
Email (string): The service account to get the token for.
Audience (string): The audience representing the service the token is valid for.
The audience must match the name of the Service the token is intended for. See
documentation links above.
(eg. https://pubsub.googleapis.com/google.pubsub.v1.Publisher)
Pin (string): The PIN for the YubiKey.
KeyId (string): (optional) The private KeyID for the service account key saved to the TPM.
Find the keyId associated with the service account by running:
`gcloud iam service-accounts keys list --iam-account=<email>``
Types ¶
type YubiKeyTokenConfig ¶
YubiKeyTokenConfig parameters to start Credential based off of TPM RSA Private Key.
Source Files