Documentation

Overview

Package sts provides access to the Security Token Service API.

For product documentation, see: http://cloud.google.com/iam/docs/workload-identity-federation

Creating a client

Usage example:

import "google.golang.org/api/sts/v1beta"
...
ctx := context.Background()
stsService, err := sts.NewService(ctx)

In this example, Google Application Default Credentials are used for authentication.

For information on how to create and obtain Application Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials.

Other authentication options

To use an API key for authentication (note: some APIs do not support API keys), use option.WithAPIKey:

stsService, err := sts.NewService(ctx, option.WithAPIKey("AIza..."))

To use an OAuth token (e.g., a user token obtained via a three-legged OAuth flow), use option.WithTokenSource:

config := &oauth2.Config{...}
// ...
token, err := config.Exchange(ctx, ...)
stsService, err := sts.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token)))

See https://godoc.org/google.golang.org/api/option/ for details on options.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type GoogleIdentityStsV1betaExchangeTokenRequest

type GoogleIdentityStsV1betaExchangeTokenRequest struct {
	// Audience: The full resource name of the identity provider. For
	// example,
	// `//iam.googleapis.com/projects//workloadIdentityPools//providers/`.
	// Required when exchanging an external credential for a Google access
	// token.
	Audience string `json:"audience,omitempty"`

	// GrantType: Required. The grant type. Must be
	// `urn:ietf:params:oauth:grant-type:token-exchange`, which indicates a
	// token exchange.
	GrantType string `json:"grantType,omitempty"`

	// Options: A set of features that Security Token Service supports, in
	// addition to the standard OAuth 2.0 token exchange, formatted as a
	// serialized JSON object of Options.
	Options string `json:"options,omitempty"`

	// RequestedTokenType: Required. The type of security token. Must be
	// `urn:ietf:params:oauth:token-type:access_token`, which indicates an
	// OAuth 2.0 access token.
	RequestedTokenType string `json:"requestedTokenType,omitempty"`

	// Scope: The OAuth 2.0 scopes to include on the resulting access token,
	// formatted as a list of space-delimited, case-sensitive strings.
	// Required when exchanging an external credential for a Google access
	// token.
	Scope string `json:"scope,omitempty"`

	// SubjectToken: Required. The input token. This token is a either an
	// external credential issued by a workload identity pool provider, or a
	// short-lived access token issued by Google. If the token is an OIDC
	// JWT, it must use the JWT format defined in RFC 7523
	// (https://tools.ietf.org/html/rfc7523), and the `subject_token_type`
	// must be `urn:ietf:params:oauth:token-type:jwt`. The following headers
	// are required: - `kid`: The identifier of the signing key securing the
	// JWT. - `alg`: The cryptographic algorithm securing the JWT. Must be
	// `RS256`. The following payload fields are required. For more
	// information, see RFC 7523, Section 3
	// (https://tools.ietf.org/html/rfc7523#section-3): - `iss`: The issuer
	// of the token. The issuer must provide a discovery document at the URL
	// `/.well-known/openid-configuration`, where “ is the value of this
	// field. The document must be formatted according to section 4.2 of the
	// OIDC 1.0 Discovery specification
	// (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
	// - `iat`: The issue time, in seconds, since the Unix epoch. Must be in
	// the past. - `exp`: The expiration time, in seconds, since the Unix
	// epoch. Must be less than 48 hours after `iat`. Shorter expiration
	// times are more secure. If possible, we recommend setting an
	// expiration time less than 6 hours. - `sub`: The identity asserted in
	// the JWT. - `aud`: Configured by the mapper policy. The default value
	// is the service account's unique ID. Example header: “` { "alg":
	// "RS256", "kid": "us-east-11" } “` Example payload: “` { "iss":
	// "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704,
	// "aud": "113475438248934895348", "sub": "113475438248934895348",
	// "my_claims": { "additional_claim": "value" } } “` If `subject_token`
	// is for AWS, it must be a serialized `GetCallerIdentity` token. This
	// token contains the same information as a request to the AWS
	// `GetCallerIdentity()`
	// (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity)
	// method, as well as the AWS signature
	// (https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html)
	// for the request information. Use Signature Version 4. Format the
	// request as URL-encoded JSON, and set the `subject_token_type`
	// parameter to `urn:ietf:params:aws:token-type:aws4_request`. The
	// following parameters are required: - `url`: The URL of the AWS STS
	// endpoint for `GetCallerIdentity()`, such as
	// `https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15
	// `. Regional endpoints are also supported. - `method`: The HTTP
	// request method: `POST`. - `headers`: The HTTP request headers, which
	// must include: - `Authorization`: The request signature. -
	// `x-amz-date`: The time you will send the request, formatted as an
	// ISO8601 Basic
	// (https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#sigv4_elements_date)
	// string. This value is typically set to the current time and is used
	// to help prevent replay attacks. - `host`: The hostname of the `url`
	// field; for example, `sts.amazonaws.com`. -
	// `x-goog-cloud-target-resource`: The full, canonical resource name of
	// the workload identity pool provider, with or without an `https:`
	// prefix. To help ensure data integrity, we recommend including this
	// header in the `SignedHeaders` field of the signed request. For
	// example:
	// //iam.googleapis.com/projects//locations//workloadIdentityPools//provi
	// ders/
	// https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/
	// If you are using temporary security credentials provided by AWS, you
	// must also include the header `x-amz-security-token`, with the value
	// set to the session token. The following example shows a
	// `GetCallerIdentity` token: “` { "headers": [ {"key": "x-amz-date",
	// "value": "20200815T015049Z"}, {"key": "Authorization", "value":
	// "AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-dat
	// e;x-goog-cloud-target-resource,+Signature=$signature"}, {"key":
	// "x-goog-cloud-target-resource", "value":
	// "//iam.googleapis.com/projects//locations//workloadIdentityPools//prov
	// iders/"}, {"key": "host", "value": "sts.amazonaws.com"} . ],
	// "method": "POST", "url":
	// "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15
	// " } “` You can also use a Google-issued OAuth 2.0 access token with
	// this field to obtain an access token with new security attributes
	// applied, such as a Credential Access Boundary. In this case, set
	// `subject_token_type` to
	// `urn:ietf:params:oauth:token-type:access_token`. If an access token
	// already contains security attributes, you cannot apply additional
	// security attributes.
	SubjectToken string `json:"subjectToken,omitempty"`

	// SubjectTokenType: Required. An identifier that indicates the type of
	// the security token in the `subject_token` parameter. Supported values
	// are `urn:ietf:params:oauth:token-type:jwt`,
	// `urn:ietf:params:aws:token-type:aws4_request`, and
	// `urn:ietf:params:oauth:token-type:access_token`.
	SubjectTokenType string `json:"subjectTokenType,omitempty"`

	// ForceSendFields is a list of field names (e.g. "Audience") to
	// unconditionally include in API requests. By default, fields with
	// empty values are omitted from API requests. However, any non-pointer,
	// non-interface field appearing in ForceSendFields will be sent to the
	// server regardless of whether the field is empty or not. This may be
	// used to include empty fields in Patch requests.
	ForceSendFields []string `json:"-"`

	// NullFields is a list of field names (e.g. "Audience") to include in
	// API requests with the JSON null value. By default, fields with empty
	// values are omitted from API requests. However, any field with an
	// empty value appearing in NullFields will be sent to the server as
	// null. It is an error if a field in this list has a non-empty value.
	// This may be used to include null fields in Patch requests.
	NullFields []string `json:"-"`
}

    GoogleIdentityStsV1betaExchangeTokenRequest: Request message for ExchangeToken.

    func (*GoogleIdentityStsV1betaExchangeTokenRequest) MarshalJSON

    type GoogleIdentityStsV1betaExchangeTokenResponse

    type GoogleIdentityStsV1betaExchangeTokenResponse struct {
    	// AccessToken: An OAuth 2.0 security token, issued by Google, in
    	// response to the token exchange request. Tokens can vary in size,
    	// depending in part on the size of mapped claims, up to a maximum of
    	// 12288 bytes (12 KB). Google reserves the right to change the token
    	// size and the maximum length at any time.
    	AccessToken string `json:"access_token,omitempty"`
    
    	// ExpiresIn: The amount of time, in seconds, between the time when the
    	// access token was issued and the time when the access token will
    	// expire. This field is absent when the `subject_token` in the request
    	// is a Google-issued, short-lived access token. In this case, the
    	// access token has the same expiration time as the `subject_token`.
    	ExpiresIn int64 `json:"expires_in,omitempty"`
    
    	// IssuedTokenType: The token type. Always matches the value of
    	// `requested_token_type` from the request.
    	IssuedTokenType string `json:"issued_token_type,omitempty"`
    
    	// TokenType: The type of access token. Always has the value `Bearer`.
    	TokenType string `json:"token_type,omitempty"`
    
    	// ServerResponse contains the HTTP response code and headers from the
    	// server.
    	googleapi.ServerResponse `json:"-"`
    
    	// ForceSendFields is a list of field names (e.g. "AccessToken") to
    	// unconditionally include in API requests. By default, fields with
    	// empty values are omitted from API requests. However, any non-pointer,
    	// non-interface field appearing in ForceSendFields will be sent to the
    	// server regardless of whether the field is empty or not. This may be
    	// used to include empty fields in Patch requests.
    	ForceSendFields []string `json:"-"`
    
    	// NullFields is a list of field names (e.g. "AccessToken") to include
    	// in API requests with the JSON null value. By default, fields with
    	// empty values are omitted from API requests. However, any field with
    	// an empty value appearing in NullFields will be sent to the server as
    	// null. It is an error if a field in this list has a non-empty value.
    	// This may be used to include null fields in Patch requests.
    	NullFields []string `json:"-"`
    }

      GoogleIdentityStsV1betaExchangeTokenResponse: Response message for ExchangeToken.

      func (*GoogleIdentityStsV1betaExchangeTokenResponse) MarshalJSON

      type Service

      type Service struct {
      	BasePath  string // API endpoint base URL
      	UserAgent string // optional additional User-Agent fragment
      
      	V1beta *V1betaService
      	// contains filtered or unexported fields
      }

      func New

      func New(client *http.Client) (*Service, error)

        New creates a new Service. It uses the provided http.Client for requests.

        Deprecated: please use NewService instead. To provide a custom HTTP client, use option.WithHTTPClient. If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead.

        func NewService

        func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error)

          NewService creates a new Service.

          type V1betaService

          type V1betaService struct {
          	// contains filtered or unexported fields
          }

          func NewV1betaService

          func NewV1betaService(s *Service) *V1betaService

          func (*V1betaService) Token

          func (r *V1betaService) Token(googleidentitystsv1betaexchangetokenrequest *GoogleIdentityStsV1betaExchangeTokenRequest) *V1betaTokenCall

            Token: Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a Google access token. When you call this method, do not send the `Authorization` HTTP header in the request. This method does not require the `Authorization` header, and using the header can cause the request to fail.

            type V1betaTokenCall

            type V1betaTokenCall struct {
            	// contains filtered or unexported fields
            }

            func (*V1betaTokenCall) Context

              Context sets the context to be used in this call's Do method. Any pending HTTP request will be aborted if the provided context is canceled.

              func (*V1betaTokenCall) Do

                Do executes the "sts.token" call. Exactly one of *GoogleIdentityStsV1betaExchangeTokenResponse or error will be non-nil. Any non-2xx status code is an error. Response headers are in either *GoogleIdentityStsV1betaExchangeTokenResponse.ServerResponse.Header or (if a response was returned at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check whether the returned error was because http.StatusNotModified was returned.

                func (*V1betaTokenCall) Fields

                  Fields allows partial responses to be retrieved. See https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more information.

                  func (*V1betaTokenCall) Header

                  func (c *V1betaTokenCall) Header() http.Header

                    Header returns an http.Header that can be modified by the caller to add HTTP headers to the request.

                    Source Files