func DetectDefault(opts *DetectOptions) (*auth.Credentials,error)

func NewCredentialsFromFile(credTypeCredType, filenamestring, opts *DetectOptions) (*auth.Credentials,error)

func NewCredentialsFromJSON(credTypeCredType, b []byte, opts *DetectOptions) (*auth.Credentials,error)

func OnGCE()bool

type CredTypestring

type DetectOptions struct {// Scopes that credentials tokens should have. Example://https://www.googleapis.com/auth/cloud-platform. Required if Audience is// not provided.Scopes []string// TokenBindingType specifies the type of binding used when requesting a// token whether to request a hard-bound token using mTLS or an instance// identity bound token using ALTS. Optional.TokenBindingTypeTokenBindingType// Audience that credentials tokens should have. Only applicable for 2LO// flows with service accounts. If specified, scopes should not be provided.Audiencestring// Subject is the user email used for [domain wide delegation](https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority).// Optional.Subjectstring// EarlyTokenRefresh configures how early before a token expires that it// should be refreshed. Once the token’s time until expiration has entered// this refresh window the token is considered valid but stale. If unset,// the default value is 3 minutes and 45 seconds. Optional.EarlyTokenRefreshtime.Duration// DisableAsyncRefresh configures a synchronous workflow that refreshes// stale tokens while blocking. The default is false. Optional.DisableAsyncRefreshbool// AuthHandlerOptions configures an authorization handler and other options// for 3LO flows. It is required, and only used, for client credential// flows.AuthHandlerOptions *auth.AuthorizationHandlerOptions// TokenURL allows to set the token endpoint for user credential flows. If// unset the default value is:https://oauth2.googleapis.com/token.// Optional.TokenURLstring// STSAudience is the audience sent to when retrieving an STS token.// Currently this only used for GDCH auth flow, for which it is required.STSAudiencestring// CredentialsFile overrides detection logic and sources a credential file// from the provided filepath. If provided, CredentialsJSON must not be.// Optional.//// Deprecated: This field is deprecated because of a potential security risk.// It does not validate the credential configuration. The security risk occurs// when a credential configuration is accepted from a source that is not// under your control and used without validation on your side.//// If you know that you will be loading credential configurations of a// specific type, it is recommended to use a credential-type-specific// NewCredentialsFromFile method. This will ensure that an unexpected// credential type with potential for malicious intent is not loaded// unintentionally. You might still have to do validation for certain// credential types. Please follow the recommendation for that method. For// example, if you want to load only service accounts, you can use////creds, err := credentials.NewCredentialsFromFile(ctx, credentials.ServiceAccount, filename, opts)//// If you are loading your credential configuration from an untrusted source// and have not mitigated the risks (e.g. by validating the configuration// yourself), make these changes as soon as possible to prevent security// risks to your environment.//// Regardless of the method used, it is always your responsibility to// validate configurations received from external sources.//// For more details see://https://cloud.google.com/docs/authentication/external/externally-sourced-credentialsCredentialsFilestring// CredentialsJSON overrides detection logic and uses the JSON bytes as the// source for the credential. If provided, CredentialsFile must not be.// Optional.//// Deprecated: This field is deprecated because of a potential security risk.// It does not validate the credential configuration. The security risk occurs// when a credential configuration is accepted from a source that is not// under your control and used without validation on your side.//// If you know that you will be loading credential configurations of a// specific type, it is recommended to use a credential-type-specific// NewCredentialsFromJSON method. This will ensure that an unexpected// credential type with potential for malicious intent is not loaded// unintentionally. You might still have to do validation for certain// credential types. Please follow the recommendation for that method. For// example, if you want to load only service accounts, you can use////creds, err := credentials.NewCredentialsFromJSON(ctx, credentials.ServiceAccount, json, opts)//// If you are loading your credential configuration from an untrusted source// and have not mitigated the risks (e.g. by validating the configuration// yourself), make these changes as soon as possible to prevent security// risks to your environment.//// Regardless of the method used, it is always your responsibility to// validate configurations received from external sources.//// For more details see://https://cloud.google.com/docs/authentication/external/externally-sourced-credentialsCredentialsJSON []byte// UseSelfSignedJWT directs service account based credentials to create a// self-signed JWT with the private key found in the file, skipping any// network requests that would normally be made. Optional.UseSelfSignedJWTbool// Client configures the underlying client used to make network requests// when fetching tokens. Optional.Client *http.Client// UniverseDomain is the default service domain for a given Cloud universe.// The default value is "googleapis.com". This option is ignored for// authentication flows that do not support universe domain. Optional.UniverseDomainstring// Logger is used for debug logging. If provided, logging will be enabled// at the loggers configured level. By default logging is disabled unless// enabled by setting GOOGLE_SDK_GO_LOGGING_LEVEL in which case a default// logger will be used. Optional.Logger *slog.Logger}

type TokenBindingTypeint