Documentation

Overview

Package iamcredentials provides access to the IAM Service Account Credentials API.

For product documentation, see: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials

Creating a client

Usage example:

import "google.golang.org/api/iamcredentials/v1"
...
ctx := context.Background()
iamcredentialsService, err := iamcredentials.NewService(ctx)

In this example, Google Application Default Credentials are used for authentication.

For information on how to create and obtain Application Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials.

Other authentication options

To use an API key for authentication (note: some APIs do not support API keys), use option.WithAPIKey:

iamcredentialsService, err := iamcredentials.NewService(ctx, option.WithAPIKey("AIza..."))

To use an OAuth token (e.g., a user token obtained via a three-legged OAuth flow), use option.WithTokenSource:

config := &oauth2.Config{...}
// ...
token, err := config.Exchange(ctx, ...)
iamcredentialsService, err := iamcredentials.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token)))

See https://godoc.org/google.golang.org/api/option/ for details on options.

Index

Constants

View Source
const (
	// View and manage your data across Google Cloud Platform services
	CloudPlatformScope = "https://www.googleapis.com/auth/cloud-platform"
)

    OAuth2 scopes used by this API.

    Variables

    This section is empty.

    Functions

    This section is empty.

    Types

    type GenerateAccessTokenRequest

    type GenerateAccessTokenRequest struct {
    	// Delegates: The sequence of service accounts in a delegation chain.
    	// Each service account must be granted the
    	// `roles/iam.serviceAccountTokenCreator` role on its next service
    	// account in the chain. The last service account in the chain must be
    	// granted the `roles/iam.serviceAccountTokenCreator` role on the
    	// service account that is specified in the `name` field of the request.
    	// The delegates must have the following format:
    	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-`
    	// wildcard character is required; replacing it with a project ID is
    	// invalid.
    	Delegates []string `json:"delegates,omitempty"`
    
    	// Lifetime: The desired lifetime duration of the access token in
    	// seconds. By default, the maximum allowed value is 1 hour. To set a
    	// lifetime of up to 12 hours, you can add the service account as an
    	// allowed value in an Organization Policy that enforces the
    	// `constraints/iam.allowServiceAccountCredentialLifetimeExtension`
    	// constraint. See detailed instructions at
    	// https://cloud.google.com/iam/help/credentials/lifetime If a value is
    	// not specified, the token's lifetime will be set to a default value of
    	// 1 hour.
    	Lifetime string `json:"lifetime,omitempty"`
    
    	// Scope: Required. Code to identify the scopes to be included in the
    	// OAuth 2.0 access token. See
    	// https://developers.google.com/identity/protocols/googlescopes for
    	// more information. At least one value required.
    	Scope []string `json:"scope,omitempty"`
    
    	// ForceSendFields is a list of field names (e.g. "Delegates") to
    	// unconditionally include in API requests. By default, fields with
    	// empty values are omitted from API requests. However, any non-pointer,
    	// non-interface field appearing in ForceSendFields will be sent to the
    	// server regardless of whether the field is empty or not. This may be
    	// used to include empty fields in Patch requests.
    	ForceSendFields []string `json:"-"`
    
    	// NullFields is a list of field names (e.g. "Delegates") to include in
    	// API requests with the JSON null value. By default, fields with empty
    	// values are omitted from API requests. However, any field with an
    	// empty value appearing in NullFields will be sent to the server as
    	// null. It is an error if a field in this list has a non-empty value.
    	// This may be used to include null fields in Patch requests.
    	NullFields []string `json:"-"`
    }

    func (*GenerateAccessTokenRequest) MarshalJSON

    func (s *GenerateAccessTokenRequest) MarshalJSON() ([]byte, error)

    type GenerateAccessTokenResponse

    type GenerateAccessTokenResponse struct {
    	// AccessToken: The OAuth 2.0 access token.
    	AccessToken string `json:"accessToken,omitempty"`
    
    	// ExpireTime: Token expiration time. The expiration time is always set.
    	ExpireTime string `json:"expireTime,omitempty"`
    
    	// ServerResponse contains the HTTP response code and headers from the
    	// server.
    	googleapi.ServerResponse `json:"-"`
    
    	// ForceSendFields is a list of field names (e.g. "AccessToken") to
    	// unconditionally include in API requests. By default, fields with
    	// empty values are omitted from API requests. However, any non-pointer,
    	// non-interface field appearing in ForceSendFields will be sent to the
    	// server regardless of whether the field is empty or not. This may be
    	// used to include empty fields in Patch requests.
    	ForceSendFields []string `json:"-"`
    
    	// NullFields is a list of field names (e.g. "AccessToken") to include
    	// in API requests with the JSON null value. By default, fields with
    	// empty values are omitted from API requests. However, any field with
    	// an empty value appearing in NullFields will be sent to the server as
    	// null. It is an error if a field in this list has a non-empty value.
    	// This may be used to include null fields in Patch requests.
    	NullFields []string `json:"-"`
    }

    func (*GenerateAccessTokenResponse) MarshalJSON

    func (s *GenerateAccessTokenResponse) MarshalJSON() ([]byte, error)

    type GenerateIdTokenRequest

    type GenerateIdTokenRequest struct {
    	// Audience: Required. The audience for the token, such as the API or
    	// account that this token grants access to.
    	Audience string `json:"audience,omitempty"`
    
    	// Delegates: The sequence of service accounts in a delegation chain.
    	// Each service account must be granted the
    	// `roles/iam.serviceAccountTokenCreator` role on its next service
    	// account in the chain. The last service account in the chain must be
    	// granted the `roles/iam.serviceAccountTokenCreator` role on the
    	// service account that is specified in the `name` field of the request.
    	// The delegates must have the following format:
    	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-`
    	// wildcard character is required; replacing it with a project ID is
    	// invalid.
    	Delegates []string `json:"delegates,omitempty"`
    
    	// IncludeEmail: Include the service account email in the token. If set
    	// to `true`, the token will contain `email` and `email_verified`
    	// claims.
    	IncludeEmail bool `json:"includeEmail,omitempty"`
    
    	// ForceSendFields is a list of field names (e.g. "Audience") to
    	// unconditionally include in API requests. By default, fields with
    	// empty values are omitted from API requests. However, any non-pointer,
    	// non-interface field appearing in ForceSendFields will be sent to the
    	// server regardless of whether the field is empty or not. This may be
    	// used to include empty fields in Patch requests.
    	ForceSendFields []string `json:"-"`
    
    	// NullFields is a list of field names (e.g. "Audience") to include in
    	// API requests with the JSON null value. By default, fields with empty
    	// values are omitted from API requests. However, any field with an
    	// empty value appearing in NullFields will be sent to the server as
    	// null. It is an error if a field in this list has a non-empty value.
    	// This may be used to include null fields in Patch requests.
    	NullFields []string `json:"-"`
    }

    func (*GenerateIdTokenRequest) MarshalJSON

    func (s *GenerateIdTokenRequest) MarshalJSON() ([]byte, error)

    type GenerateIdTokenResponse

    type GenerateIdTokenResponse struct {
    	// Token: The OpenId Connect ID token.
    	Token string `json:"token,omitempty"`
    
    	// ServerResponse contains the HTTP response code and headers from the
    	// server.
    	googleapi.ServerResponse `json:"-"`
    
    	// ForceSendFields is a list of field names (e.g. "Token") to
    	// unconditionally include in API requests. By default, fields with
    	// empty values are omitted from API requests. However, any non-pointer,
    	// non-interface field appearing in ForceSendFields will be sent to the
    	// server regardless of whether the field is empty or not. This may be
    	// used to include empty fields in Patch requests.
    	ForceSendFields []string `json:"-"`
    
    	// NullFields is a list of field names (e.g. "Token") to include in API
    	// requests with the JSON null value. By default, fields with empty
    	// values are omitted from API requests. However, any field with an
    	// empty value appearing in NullFields will be sent to the server as
    	// null. It is an error if a field in this list has a non-empty value.
    	// This may be used to include null fields in Patch requests.
    	NullFields []string `json:"-"`
    }

    func (*GenerateIdTokenResponse) MarshalJSON

    func (s *GenerateIdTokenResponse) MarshalJSON() ([]byte, error)

    type ProjectsService

    type ProjectsService struct {
    	ServiceAccounts *ProjectsServiceAccountsService
    	// contains filtered or unexported fields
    }

    func NewProjectsService

    func NewProjectsService(s *Service) *ProjectsService

    type ProjectsServiceAccountsGenerateAccessTokenCall

    type ProjectsServiceAccountsGenerateAccessTokenCall struct {
    	// contains filtered or unexported fields
    }

    func (*ProjectsServiceAccountsGenerateAccessTokenCall) Context

      Context sets the context to be used in this call's Do method. Any pending HTTP request will be aborted if the provided context is canceled.

      func (*ProjectsServiceAccountsGenerateAccessTokenCall) Do

        Do executes the "iamcredentials.projects.serviceAccounts.generateAccessToken" call. Exactly one of *GenerateAccessTokenResponse or error will be non-nil. Any non-2xx status code is an error. Response headers are in either *GenerateAccessTokenResponse.ServerResponse.Header or (if a response was returned at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check whether the returned error was because http.StatusNotModified was returned.

        func (*ProjectsServiceAccountsGenerateAccessTokenCall) Fields

          Fields allows partial responses to be retrieved. See https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more information.

          func (*ProjectsServiceAccountsGenerateAccessTokenCall) Header

            Header returns an http.Header that can be modified by the caller to add HTTP headers to the request.

            type ProjectsServiceAccountsGenerateIdTokenCall

            type ProjectsServiceAccountsGenerateIdTokenCall struct {
            	// contains filtered or unexported fields
            }

            func (*ProjectsServiceAccountsGenerateIdTokenCall) Context

              Context sets the context to be used in this call's Do method. Any pending HTTP request will be aborted if the provided context is canceled.

              func (*ProjectsServiceAccountsGenerateIdTokenCall) Do

                Do executes the "iamcredentials.projects.serviceAccounts.generateIdToken" call. Exactly one of *GenerateIdTokenResponse or error will be non-nil. Any non-2xx status code is an error. Response headers are in either *GenerateIdTokenResponse.ServerResponse.Header or (if a response was returned at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check whether the returned error was because http.StatusNotModified was returned.

                func (*ProjectsServiceAccountsGenerateIdTokenCall) Fields

                  Fields allows partial responses to be retrieved. See https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more information.

                  func (*ProjectsServiceAccountsGenerateIdTokenCall) Header

                    Header returns an http.Header that can be modified by the caller to add HTTP headers to the request.

                    type ProjectsServiceAccountsService

                    type ProjectsServiceAccountsService struct {
                    	// contains filtered or unexported fields
                    }

                    func NewProjectsServiceAccountsService

                    func NewProjectsServiceAccountsService(s *Service) *ProjectsServiceAccountsService

                    func (*ProjectsServiceAccountsService) GenerateAccessToken

                      GenerateAccessToken: Generates an OAuth 2.0 access token for a service account.

                      func (*ProjectsServiceAccountsService) GenerateIdToken

                        GenerateIdToken: Generates an OpenID Connect ID token for a service account.

                        func (*ProjectsServiceAccountsService) SignBlob

                          SignBlob: Signs a blob using a service account's system-managed private key.

                          func (*ProjectsServiceAccountsService) SignJwt

                            SignJwt: Signs a JWT using a service account's system-managed private key.

                            type ProjectsServiceAccountsSignBlobCall

                            type ProjectsServiceAccountsSignBlobCall struct {
                            	// contains filtered or unexported fields
                            }

                            func (*ProjectsServiceAccountsSignBlobCall) Context

                              Context sets the context to be used in this call's Do method. Any pending HTTP request will be aborted if the provided context is canceled.

                              func (*ProjectsServiceAccountsSignBlobCall) Do

                                Do executes the "iamcredentials.projects.serviceAccounts.signBlob" call. Exactly one of *SignBlobResponse or error will be non-nil. Any non-2xx status code is an error. Response headers are in either *SignBlobResponse.ServerResponse.Header or (if a response was returned at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check whether the returned error was because http.StatusNotModified was returned.

                                func (*ProjectsServiceAccountsSignBlobCall) Fields

                                  Fields allows partial responses to be retrieved. See https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more information.

                                  func (*ProjectsServiceAccountsSignBlobCall) Header

                                    Header returns an http.Header that can be modified by the caller to add HTTP headers to the request.

                                    type ProjectsServiceAccountsSignJwtCall

                                    type ProjectsServiceAccountsSignJwtCall struct {
                                    	// contains filtered or unexported fields
                                    }

                                    func (*ProjectsServiceAccountsSignJwtCall) Context

                                      Context sets the context to be used in this call's Do method. Any pending HTTP request will be aborted if the provided context is canceled.

                                      func (*ProjectsServiceAccountsSignJwtCall) Do

                                        Do executes the "iamcredentials.projects.serviceAccounts.signJwt" call. Exactly one of *SignJwtResponse or error will be non-nil. Any non-2xx status code is an error. Response headers are in either *SignJwtResponse.ServerResponse.Header or (if a response was returned at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check whether the returned error was because http.StatusNotModified was returned.

                                        func (*ProjectsServiceAccountsSignJwtCall) Fields

                                          Fields allows partial responses to be retrieved. See https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more information.

                                          func (*ProjectsServiceAccountsSignJwtCall) Header

                                            Header returns an http.Header that can be modified by the caller to add HTTP headers to the request.

                                            type Service

                                            type Service struct {
                                            	BasePath  string // API endpoint base URL
                                            	UserAgent string // optional additional User-Agent fragment
                                            
                                            	Projects *ProjectsService
                                            	// contains filtered or unexported fields
                                            }

                                            func New

                                            func New(client *http.Client) (*Service, error)

                                              New creates a new Service. It uses the provided http.Client for requests.

                                              Deprecated: please use NewService instead. To provide a custom HTTP client, use option.WithHTTPClient. If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead.

                                              func NewService

                                              func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error)

                                                NewService creates a new Service.

                                                type SignBlobRequest

                                                type SignBlobRequest struct {
                                                	// Delegates: The sequence of service accounts in a delegation chain.
                                                	// Each service account must be granted the
                                                	// `roles/iam.serviceAccountTokenCreator` role on its next service
                                                	// account in the chain. The last service account in the chain must be
                                                	// granted the `roles/iam.serviceAccountTokenCreator` role on the
                                                	// service account that is specified in the `name` field of the request.
                                                	// The delegates must have the following format:
                                                	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-`
                                                	// wildcard character is required; replacing it with a project ID is
                                                	// invalid.
                                                	Delegates []string `json:"delegates,omitempty"`
                                                
                                                	// Payload: Required. The bytes to sign.
                                                	Payload string `json:"payload,omitempty"`
                                                
                                                	// ForceSendFields is a list of field names (e.g. "Delegates") to
                                                	// unconditionally include in API requests. By default, fields with
                                                	// empty values are omitted from API requests. However, any non-pointer,
                                                	// non-interface field appearing in ForceSendFields will be sent to the
                                                	// server regardless of whether the field is empty or not. This may be
                                                	// used to include empty fields in Patch requests.
                                                	ForceSendFields []string `json:"-"`
                                                
                                                	// NullFields is a list of field names (e.g. "Delegates") to include in
                                                	// API requests with the JSON null value. By default, fields with empty
                                                	// values are omitted from API requests. However, any field with an
                                                	// empty value appearing in NullFields will be sent to the server as
                                                	// null. It is an error if a field in this list has a non-empty value.
                                                	// This may be used to include null fields in Patch requests.
                                                	NullFields []string `json:"-"`
                                                }

                                                func (*SignBlobRequest) MarshalJSON

                                                func (s *SignBlobRequest) MarshalJSON() ([]byte, error)

                                                type SignBlobResponse

                                                type SignBlobResponse struct {
                                                	// KeyId: The ID of the key used to sign the blob. The key used for
                                                	// signing will remain valid for at least 12 hours after the blob is
                                                	// signed. To verify the signature, you can retrieve the public key in
                                                	// several formats from the following endpoints: - RSA public key
                                                	// wrapped in an X.509 v3 certificate:
                                                	// `https://www.googleapis.com/service_accounts/v1/metadata/x509/{ACCOUNT
                                                	// _EMAIL}` - Raw key in JSON format:
                                                	// `https://www.googleapis.com/service_accounts/v1/metadata/raw/{ACCOUNT_
                                                	// EMAIL}` - JSON Web Key (JWK):
                                                	// `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_
                                                	// EMAIL}`
                                                	KeyId string `json:"keyId,omitempty"`
                                                
                                                	// SignedBlob: The signature for the blob. Does not include the original
                                                	// blob. After the key pair referenced by the `key_id` response field
                                                	// expires, Google no longer exposes the public key that can be used to
                                                	// verify the blob. As a result, the receiver can no longer verify the
                                                	// signature.
                                                	SignedBlob string `json:"signedBlob,omitempty"`
                                                
                                                	// ServerResponse contains the HTTP response code and headers from the
                                                	// server.
                                                	googleapi.ServerResponse `json:"-"`
                                                
                                                	// ForceSendFields is a list of field names (e.g. "KeyId") to
                                                	// unconditionally include in API requests. By default, fields with
                                                	// empty values are omitted from API requests. However, any non-pointer,
                                                	// non-interface field appearing in ForceSendFields will be sent to the
                                                	// server regardless of whether the field is empty or not. This may be
                                                	// used to include empty fields in Patch requests.
                                                	ForceSendFields []string `json:"-"`
                                                
                                                	// NullFields is a list of field names (e.g. "KeyId") to include in API
                                                	// requests with the JSON null value. By default, fields with empty
                                                	// values are omitted from API requests. However, any field with an
                                                	// empty value appearing in NullFields will be sent to the server as
                                                	// null. It is an error if a field in this list has a non-empty value.
                                                	// This may be used to include null fields in Patch requests.
                                                	NullFields []string `json:"-"`
                                                }

                                                func (*SignBlobResponse) MarshalJSON

                                                func (s *SignBlobResponse) MarshalJSON() ([]byte, error)

                                                type SignJwtRequest

                                                type SignJwtRequest struct {
                                                	// Delegates: The sequence of service accounts in a delegation chain.
                                                	// Each service account must be granted the
                                                	// `roles/iam.serviceAccountTokenCreator` role on its next service
                                                	// account in the chain. The last service account in the chain must be
                                                	// granted the `roles/iam.serviceAccountTokenCreator` role on the
                                                	// service account that is specified in the `name` field of the request.
                                                	// The delegates must have the following format:
                                                	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-`
                                                	// wildcard character is required; replacing it with a project ID is
                                                	// invalid.
                                                	Delegates []string `json:"delegates,omitempty"`
                                                
                                                	// Payload: Required. The JWT payload to sign. Must be a serialized JSON
                                                	// object that contains a JWT Claims Set. For example: `{"sub":
                                                	// "user@example.com", "iat": 313435}` If the JWT Claims Set contains an
                                                	// expiration time (`exp`) claim, it must be an integer timestamp that
                                                	// is not in the past and no more than 12 hours in the future.
                                                	Payload string `json:"payload,omitempty"`
                                                
                                                	// ForceSendFields is a list of field names (e.g. "Delegates") to
                                                	// unconditionally include in API requests. By default, fields with
                                                	// empty values are omitted from API requests. However, any non-pointer,
                                                	// non-interface field appearing in ForceSendFields will be sent to the
                                                	// server regardless of whether the field is empty or not. This may be
                                                	// used to include empty fields in Patch requests.
                                                	ForceSendFields []string `json:"-"`
                                                
                                                	// NullFields is a list of field names (e.g. "Delegates") to include in
                                                	// API requests with the JSON null value. By default, fields with empty
                                                	// values are omitted from API requests. However, any field with an
                                                	// empty value appearing in NullFields will be sent to the server as
                                                	// null. It is an error if a field in this list has a non-empty value.
                                                	// This may be used to include null fields in Patch requests.
                                                	NullFields []string `json:"-"`
                                                }

                                                func (*SignJwtRequest) MarshalJSON

                                                func (s *SignJwtRequest) MarshalJSON() ([]byte, error)

                                                type SignJwtResponse

                                                type SignJwtResponse struct {
                                                	// KeyId: The ID of the key used to sign the JWT. The key used for
                                                	// signing will remain valid for at least 12 hours after the JWT is
                                                	// signed. To verify the signature, you can retrieve the public key in
                                                	// several formats from the following endpoints: - RSA public key
                                                	// wrapped in an X.509 v3 certificate:
                                                	// `https://www.googleapis.com/service_accounts/v1/metadata/x509/{ACCOUNT
                                                	// _EMAIL}` - Raw key in JSON format:
                                                	// `https://www.googleapis.com/service_accounts/v1/metadata/raw/{ACCOUNT_
                                                	// EMAIL}` - JSON Web Key (JWK):
                                                	// `https://www.googleapis.com/service_accounts/v1/metadata/jwk/{ACCOUNT_
                                                	// EMAIL}`
                                                	KeyId string `json:"keyId,omitempty"`
                                                
                                                	// SignedJwt: The signed JWT. Contains the automatically generated
                                                	// header; the client-supplied payload; and the signature, which is
                                                	// generated using the key referenced by the `kid` field in the header.
                                                	// After the key pair referenced by the `key_id` response field expires,
                                                	// Google no longer exposes the public key that can be used to verify
                                                	// the JWT. As a result, the receiver can no longer verify the
                                                	// signature.
                                                	SignedJwt string `json:"signedJwt,omitempty"`
                                                
                                                	// ServerResponse contains the HTTP response code and headers from the
                                                	// server.
                                                	googleapi.ServerResponse `json:"-"`
                                                
                                                	// ForceSendFields is a list of field names (e.g. "KeyId") to
                                                	// unconditionally include in API requests. By default, fields with
                                                	// empty values are omitted from API requests. However, any non-pointer,
                                                	// non-interface field appearing in ForceSendFields will be sent to the
                                                	// server regardless of whether the field is empty or not. This may be
                                                	// used to include empty fields in Patch requests.
                                                	ForceSendFields []string `json:"-"`
                                                
                                                	// NullFields is a list of field names (e.g. "KeyId") to include in API
                                                	// requests with the JSON null value. By default, fields with empty
                                                	// values are omitted from API requests. However, any field with an
                                                	// empty value appearing in NullFields will be sent to the server as
                                                	// null. It is an error if a field in this list has a non-empty value.
                                                	// This may be used to include null fields in Patch requests.
                                                	NullFields []string `json:"-"`
                                                }

                                                func (*SignJwtResponse) MarshalJSON

                                                func (s *SignJwtResponse) MarshalJSON() ([]byte, error)