package trustboundary

auth – cloud.google.com/go/auth/internal/trustboundary Index | Files

import "cloud.google.com/go/auth/internal/trustboundary"

Index ¶

func IsEnabled() (bool, error)
type AllowedLocationsResponse
type ConfigProvider

func NewExternalAccountConfigProvider(audience, inputUniverseDomain string) (ConfigProvider, error)
func NewServiceAccountConfigProvider(saEmail, universeDomain string) ConfigProvider

type DataProvider

func NewProvider(client *http.Client, configProvider ConfigProvider, logger *slog.Logger, base auth.TokenProvider) (*DataProvider, error)
func (p *DataProvider) GetTrustBoundaryData(ctx context.Context, token *auth.Token) (*internal.TrustBoundaryData, error)
func (p *DataProvider) Token(ctx context.Context) (*auth.Token, error)

type GCEConfigProvider

func NewGCEConfigProvider(gceUDP *internal.ComputeUniverseDomainProvider) *GCEConfigProvider
func (g *GCEConfigProvider) GetTrustBoundaryEndpoint(ctx context.Context) (string, error)
func (g *GCEConfigProvider) GetUniverseDomain(ctx context.Context) (string, error)

Functions ¶

func IsEnabled ¶

func IsEnabled() (bool, error)

IsEnabled returns if the trust boundary feature is enabled and an error if the configuration is invalid. The underlying check is performed only once.

Types ¶

type AllowedLocationsResponse ¶

type AllowedLocationsResponse struct {
	// Locations is the list of allowed locations.
	Locations []string `json:"locations"`
	// EncodedLocations is the encoded representation of the allowed locations.
	EncodedLocations string `json:"encodedLocations"`
}

AllowedLocationsResponse is the structure of the response from the Trust Boundary API.

type ConfigProvider ¶

type ConfigProvider interface {
	// GetTrustBoundaryEndpoint returns the endpoint URL for the trust boundary lookup.
	GetTrustBoundaryEndpoint(ctx context.Context) (url string, err error)
	// GetUniverseDomain returns the universe domain associated with the credential.
	// It may return an error if the universe domain cannot be determined.
	GetUniverseDomain(ctx context.Context) (string, error)
}

ConfigProvider provides specific configuration for trust boundary lookups.

func NewExternalAccountConfigProvider ¶

func NewExternalAccountConfigProvider(audience, inputUniverseDomain string) (ConfigProvider, error)

NewExternalAccountConfigProvider creates a new ConfigProvider for external accounts.

func NewServiceAccountConfigProvider ¶

func NewServiceAccountConfigProvider(saEmail, universeDomain string) ConfigProvider

NewServiceAccountConfigProvider creates a new config for service accounts.

type DataProvider ¶

type DataProvider struct {
	// contains filtered or unexported fields
}

DataProvider fetches and caches trust boundary Data. It implements the DataProvider interface and uses a ConfigProvider to get type-specific details for the lookup.

func NewProvider ¶

func NewProvider(client *http.Client, configProvider ConfigProvider, logger *slog.Logger, base auth.TokenProvider) (*DataProvider, error)

NewProvider wraps the provided base auth.TokenProvider to create a new provider that injects tokens with trust boundary data. It uses the provided HTTP client and configProvider to fetch the data and attach it to the token's metadata.

func (*DataProvider) GetTrustBoundaryData ¶

func (p *DataProvider) GetTrustBoundaryData(ctx context.Context, token *auth.Token) (*internal.TrustBoundaryData, error)

GetTrustBoundaryData retrieves the trust boundary data. It first checks the universe domain: if it's non-default, a NoOp is returned. Otherwise, it checks a local cache. If the data is not cached as NoOp, it fetches new data from the endpoint provided by its ConfigProvider, using the given accessToken for authentication. Results are cached. If fetching fails, it returns previously cached data if available, otherwise the fetch error.

func (*DataProvider) Token ¶

func (p *DataProvider) Token(ctx context.Context) (*auth.Token, error)

Token retrieves a token from the base provider and injects it with trust boundary data.

type GCEConfigProvider ¶

type GCEConfigProvider struct {
	// contains filtered or unexported fields
}

GCEConfigProvider implements ConfigProvider for GCE environments. It lazily fetches and caches the necessary metadata (service account email, universe domain) from the GCE metadata server.

func NewGCEConfigProvider ¶

func NewGCEConfigProvider(gceUDP *internal.ComputeUniverseDomainProvider) *GCEConfigProvider

NewGCEConfigProvider creates a new GCEConfigProvider which uses the provided gceUDP to interact with the GCE metadata server.

func (*GCEConfigProvider) GetTrustBoundaryEndpoint ¶

func (g *GCEConfigProvider) GetTrustBoundaryEndpoint(ctx context.Context) (string, error)

GetTrustBoundaryEndpoint constructs the trust boundary lookup URL for a GCE environment. It uses cached metadata (service account email, universe domain) after the first call.

func (*GCEConfigProvider) GetUniverseDomain ¶

func (g *GCEConfigProvider) GetUniverseDomain(ctx context.Context) (string, error)

GetUniverseDomain retrieves the universe domain from the GCE metadata server. It uses a cached value after the first call.

Source Files ¶

external_accounts_config_providers.go trust_boundary.go

Version: v0.20.0 (latest)
Published: Apr 6, 2026
Platform: linux/amd64
Imports: 16 packages
Last checked: 1 hour ago –

Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
G	: Go to end of page
g then i	: Go to index
g then e	: Go to examples