package impersonate
import "cloud.google.com/go/auth/credentials/internal/impersonate"
Index ¶
- func NewTokenProvider(opts *Options) (auth.TokenProvider, error)
- type GenerateIDTokenRequest
- type GenerateIDTokenResponse
- type IDTokenIAMOptions
- type Options
Functions ¶
func NewTokenProvider ¶
func NewTokenProvider(opts *Options) (auth.TokenProvider, error)
NewTokenProvider uses a source credential, stored in Ts, to request an access token to the provided URL. Scopes can be defined when the access token is requested.
Types ¶
type GenerateIDTokenRequest ¶
type GenerateIDTokenRequest struct {
Audience string `json:"audience"`
IncludeEmail bool `json:"includeEmail"`
// Delegates are the ordered, fully-qualified resource name for service
// accounts in a delegation chain. Each service account must be granted
// roles/iam.serviceAccountTokenCreator on the next service account in the
// chain. The delegates must have the following format:
// projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard
// character is required; replacing it with a project ID is invalid.
// Optional.
Delegates []string `json:"delegates,omitempty"`
}
GenerateIDTokenRequest holds the request to the IAM generateIdToken RPC.
type GenerateIDTokenResponse ¶
type GenerateIDTokenResponse struct {
Token string `json:"token"`
}
GenerateIDTokenResponse holds the response from the IAM generateIdToken RPC.
type IDTokenIAMOptions ¶
type IDTokenIAMOptions struct {
// Client is required.
Client *http.Client
// Logger is required.
Logger *slog.Logger
UniverseDomain auth.CredentialsPropertyProvider
ServiceAccountEmail string
GenerateIDTokenRequest
}
IDTokenIAMOptions provides configuration for IDTokenIAMOptions.Token.
func (IDTokenIAMOptions) Token ¶
Token call IAM generateIdToken with the configuration provided in IDTokenIAMOptions.
type Options ¶
type Options struct {
// Tp is the source credential used to generate a token on the
// impersonated service account. Required.
Tp auth.TokenProvider
// URL is the endpoint to call to generate a token
// on behalf of the service account. Required.
URL string
// Scopes that the impersonated credential should have. Required.
Scopes []string
// Delegates are the service account email addresses in a delegation chain.
// Each service account must be granted roles/iam.serviceAccountTokenCreator
// on the next service account in the chain. Optional.
Delegates []string
// TokenLifetimeSeconds is the number of seconds the impersonation token will
// be valid for. Defaults to 1 hour if unset. Optional.
TokenLifetimeSeconds int
// Client configures the underlying client used to make network requests
// when fetching tokens. Required.
Client *http.Client
// Logger is used for debug logging. If provided, logging will be enabled
// at the loggers configured level. By default logging is disabled unless
// enabled by setting GOOGLE_SDK_GO_LOGGING_LEVEL in which case a default
// logger will be used. Optional.
Logger *slog.Logger
}
Options for NewTokenProvider.
func (*Options) Token ¶
Token performs the exchange to get a temporary service account token to allow access to GCP.
Source Files ¶
idtoken.go impersonate.go
- Version
- v0.16.2
- Published
- Jun 4, 2025
- Platform
- js/wasm
- Imports
- 12 packages
- Last checked
- 1 minute ago –
Tools for package owners.