Reference documentation and code samples for the Google Auth Library Client class ExecutableSource.

ExecutableSource enables the exchange of workload identity pool external credentials forGoogle access tokens by retrieving 3rd party tokens through a user supplied executable. Thesescripts/executables are completely independent of the Google Cloud Auth libraries. Thesecredentials plug into ADC and will call the specified executable to retrieve the 3rd party tokento be exchanged for a Google access token.

To use these credentials, the GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES environment variablemust be set to '1'. This is for security reasons.

Both OIDC and SAML are supported. The executable must adhere to a specific response formatdefined below.

The executable must print out the 3rd party token to STDOUT in JSON format. When anoutput_file is specified in the credential configuration, the executable must also handle writing theJSON response to this file.

OIDC response sample:{  "version": 1,  "success": true,  "token_type": "urn:ietf:params:oauth:token-type:id_token",  "id_token": "HEADER.PAYLOAD.SIGNATURE",  "expiration_time": 1620433341}SAML2 response sample:{  "version": 1,  "success": true,  "token_type": "urn:ietf:params:oauth:token-type:saml2",  "saml_response": "...",  "expiration_time": 1620433341}Error response sample:{  "version": 1,  "success": false,  "code": "401",  "message": "Error message."}

The "expiration_time" field in the JSON response is only required for successfulresponses when an output file was specified in the credential configuration

The auth libraries will populate certain environment variables that will be accessible by theexecutable, such as: GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE, GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE,GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE, GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL, andGOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE.

Gets the unique key for cachingThe format for the cache key is:Command.OutputFile