externalaccount
package
This package is not in the latest version of its module.
Details
Validgo.mod file
The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
- Redistributable license
Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
- Tagged version
Modules with tagged versions give importers more predictable builds.
Stable versionWhen a project reaches major version v1 it is considered stable.
- Learn more about best practices
Repository
Links
Report a Vulnerability
Open Source Insights
Documentation¶
Overview¶
Package externalaccount provides support for creating workload identityfederation and workforce identity federation token sources that can beused to access Google Cloud resources from external identity providers.
Workload Identity Federation¶
Using workload identity federation, your application can access Google Cloudresources from Amazon Web Services (AWS), Microsoft Azure or any identityprovider that supports OpenID Connect (OIDC) or SAML 2.0.Traditionally, applications running outside Google Cloud have used serviceaccount keys to access Google Cloud resources. Using identity federation,you can allow your workload to impersonate a service account.This lets you access Google Cloud resources directly, eliminating themaintenance and security burden associated with service account keys.
Follow the detailed instructions on how to configure Workload Identity Federationin various platforms:
Amazon Web Services (AWS):https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#awsMicrosoft Azure:https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#azureOIDC identity provider:https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#oidcSAML 2.0 identity provider:https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#saml
For OIDC and SAML providers, the library can retrieve tokens in fours ways:from a local file location (file-sourced credentials), from a server(URL-sourced credentials), from a local executable (executable-sourcedcredentials), or from a user defined function that returns an OIDC or SAML token.For file-sourced credentials, a background process needs to be continuouslyrefreshing the file location with a new OIDC/SAML token prior to expiration.For tokens with one hour lifetimes, the token needs to be updated in the fileevery hour. The token can be stored directly as plain text or in JSON format.For URL-sourced credentials, a local server needs to host a GET endpoint toreturn the OIDC/SAML token. The response can be in plain text or JSON.Additional required request headers can also be specified.For executable-sourced credentials, an application needs to be available tooutput the OIDC/SAML token and other information in a JSON format.For more information on how these work (and how to implementexecutable-sourced credentials), please check out:https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#create_a_credential_configuration
To use a custom function to supply the token, define a struct that implements theSubjectTokenSupplier interface for OIDC/SAML providers,or one that implementsAwsSecurityCredentialsSupplier for AWS providers. This can then be used when building aConfig.Thegolang.org/x/oauth2.TokenSource created from the config usingNewTokenSource can then be used to access GoogleCloud resources. For instance, you can create a new client from thecloud.google.com/go/storage package and pass in option.WithTokenSource(yourTokenSource))
Note that this library does not perform any validation on the token_url, token_info_url,or service_account_impersonation_url fields of the credential configuration.It is not recommended to use a credential configuration that you did not generate withthe gcloud CLI unless you verify that the URL fields point to a googleapis.com domain.
Workforce Identity Federation¶
Workforce identity federation lets you use an external identity provider (IdP) toauthenticate and authorize a workforce—a group of users, such as employees, partners,and contractors—using IAM, so that the users can access Google Cloud services.Workforce identity federation extends Google Cloud's identity capabilities to supportsyncless, attribute-based single sign on.
With workforce identity federation, your workforce can access Google Cloud resourcesusing an external identity provider (IdP) that supports OpenID Connect (OIDC) orSAML 2.0 such as Azure Active Directory (Azure AD), Active Directory FederationServices (AD FS), Okta, and others.
Follow the detailed instructions on how to configure Workload Identity Federationin various platforms:
Azure AD:https://cloud.google.com/iam/docs/workforce-sign-in-azure-adOkta:https://cloud.google.com/iam/docs/workforce-sign-in-oktaOIDC identity provider:https://cloud.google.com/iam/docs/configuring-workforce-identity-federation#oidcSAML 2.0 identity provider:https://cloud.google.com/iam/docs/configuring-workforce-identity-federation#saml
For workforce identity federation, the library can retrieve tokens in four ways:from a local file location (file-sourced credentials), from a server(URL-sourced credentials), from a local executable (executable-sourcedcredentials), or from a user supplied function that returns an OIDC or SAML token.For file-sourced credentials, a background process needs to be continuouslyrefreshing the file location with a new OIDC/SAML token prior to expiration.For tokens with one hour lifetimes, the token needs to be updated in the fileevery hour. The token can be stored directly as plain text or in JSON format.For URL-sourced credentials, a local server needs to host a GET endpoint toreturn the OIDC/SAML token. The response can be in plain text or JSON.Additional required request headers can also be specified.For executable-sourced credentials, an application needs to be available tooutput the OIDC/SAML token and other information in a JSON format.For more information on how these work (and how to implementexecutable-sourced credentials), please check out:https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#generate_a_configuration_file_for_non-interactive_sign-in
To use a custom function to supply the token, define a struct that implements theSubjectTokenSupplier interface for OIDC/SAML providers.This can then be used when building aConfig.Thegolang.org/x/oauth2.TokenSource created from the config usingNewTokenSource can then be used access GoogleCloud resources. For instance, you can create a new client from thecloud.google.com/go/storage package and pass in option.WithTokenSource(yourTokenSource))
Security considerations¶
Note that this library does not perform any validation on the token_url, token_info_url,or service_account_impersonation_url fields of the credential configuration.It is not recommended to use a credential configuration that you did not generate withthe gcloud CLI unless you verify that the URL fields point to a googleapis.com domain.
Index¶
Constants¶
This section is empty.
Variables¶
This section is empty.
Functions¶
funcNewTokenSource¶
NewTokenSource Returns an external account TokenSource using the provided external account config.
Types¶
typeAwsSecurityCredentials¶
type AwsSecurityCredentials struct {// AccessKeyID is the AWS Access Key ID - Required.AccessKeyIDstring `json:"AccessKeyID"`// SecretAccessKey is the AWS Secret Access Key - Required.SecretAccessKeystring `json:"SecretAccessKey"`// SessionToken is the AWS Session token. This should be provided for temporary AWS security credentials - Optional.SessionTokenstring `json:"Token"`}AwsSecurityCredentials models AWS security credentials.
typeAwsSecurityCredentialsSupplier¶
type AwsSecurityCredentialsSupplier interface {// AwsRegion should return the AWS region or an error.AwsRegion(ctxcontext.Context, optionsSupplierOptions) (string,error)// AwsSecurityCredentials should return a valid set of AwsSecurityCredentials or an error.// The external account token source does not cache the returned security credentials, so caching// logic should be implemented in the supplier to prevent multiple requests for the same security credentials.AwsSecurityCredentials(ctxcontext.Context, optionsSupplierOptions) (*AwsSecurityCredentials,error)}AWSSecurityCredentialsSupplier can be used to supply AwsSecurityCredentials and an AWS Region toexchange for a GCP access token.
typeConfig¶
type Config struct {// Audience is the Secure Token Service (STS) audience which contains the resource name for the workload// identity pool or the workforce pool and the provider identifier in that pool. Required.Audiencestring// SubjectTokenType is the STS token type based on the Oauth2.0 token exchange spec.// Expected values include:// “urn:ietf:params:oauth:token-type:jwt”// “urn:ietf:params:oauth:token-type:id-token”// “urn:ietf:params:oauth:token-type:saml2”// “urn:ietf:params:aws:token-type:aws4_request”// Required.SubjectTokenTypestring// TokenURL is the STS token exchange endpoint. If not provided, will default to//https://sts.UNIVERSE_DOMAIN/v1/token, with UNIVERSE_DOMAIN set to the// default service domain googleapis.com unless UniverseDomain is set.// Optional.TokenURLstring// TokenInfoURL is the token_info endpoint used to retrieve the account related information (// user attributes like account identifier, eg. email, username, uid, etc). This is// needed for gCloud session account identification. Optional.TokenInfoURLstring// ServiceAccountImpersonationURL is the URL for the service account impersonation request. This is only// required for workload identity pools when APIs to be accessed have not integrated with UberMint. Optional.ServiceAccountImpersonationURLstring// ServiceAccountImpersonationLifetimeSeconds is the number of seconds the service account impersonation// token will be valid for. If not provided, it will default to 3600. Optional.ServiceAccountImpersonationLifetimeSecondsint// ClientSecret is currently only required if token_info endpoint also// needs to be called with the generated GCP access token. When provided, STS will be// called with additional basic authentication using ClientId as username and ClientSecret as password. Optional.ClientSecretstring// ClientID is only required in conjunction with ClientSecret, as described above. Optional.ClientIDstring// CredentialSource contains the necessary information to retrieve the token itself, as well// as some environmental information. One of SubjectTokenSupplier, AWSSecurityCredentialSupplier or// CredentialSource must be provided. Optional.CredentialSource *CredentialSource// QuotaProjectID is injected by gCloud. If the value is non-empty, the Auth libraries// will set the x-goog-user-project header which overrides the project associated with the credentials. Optional.QuotaProjectIDstring// Scopes contains the desired scopes for the returned access token. Optional.Scopes []string// WorkforcePoolUserProject is the workforce pool user project number when the credential// corresponds to a workforce pool and not a workload identity pool.// The underlying principal must still have serviceusage.services.use IAM// permission to use the project for billing/quota. Optional.WorkforcePoolUserProjectstring// SubjectTokenSupplier is an optional token supplier for OIDC/SAML credentials.// One of SubjectTokenSupplier, AWSSecurityCredentialSupplier or CredentialSource must be provided. Optional.SubjectTokenSupplierSubjectTokenSupplier// AwsSecurityCredentialsSupplier is an AWS Security Credential supplier for AWS credentials.// One of SubjectTokenSupplier, AWSSecurityCredentialSupplier or CredentialSource must be provided. Optional.AwsSecurityCredentialsSupplierAwsSecurityCredentialsSupplier// UniverseDomain is the default service domain for a given Cloud universe.// This value will be used in the default STS token URL. The default value// is "googleapis.com". It will not be used if TokenURL is set. Optional.UniverseDomainstring}Config stores the configuration for fetching tokens with external credentials.
typeCredentialSource¶
type CredentialSource struct {// File is the location for file sourced credentials.// One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question.//// Important: If you accept a credential configuration (credential// JSON/File/Stream) from an external source for authentication to Google// Cloud Platform, you must validate it before providing it to any Google// API or library. Providing an unvalidated credential configuration to// Google APIs can compromise the security of your systems and data. For// more information, refer to [Validate credential configurations from// external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).Filestring `json:"file"`// Url is the URL to call for URL sourced credentials.// One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question.//// Important: If you accept a credential configuration (credential// JSON/File/Stream) from an external source for authentication to Google// Cloud Platform, you must validate it before providing it to any Google// API or library. Providing an unvalidated credential configuration to// Google APIs can compromise the security of your systems and data. For// more information, refer to [Validate credential configurations from// external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).URLstring `json:"url"`// Headers are the headers to attach to the request for URL sourced credentials.Headers map[string]string `json:"headers"`// Executable is the configuration object for executable sourced credentials.// One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question.//// Important: If you accept a credential configuration (credential// JSON/File/Stream) from an external source for authentication to Google// Cloud Platform, you must validate it before providing it to any Google// API or library. Providing an unvalidated credential configuration to// Google APIs can compromise the security of your systems and data. For// more information, refer to [Validate credential configurations from// external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).Executable *ExecutableConfig `json:"executable"`// EnvironmentID is the EnvironmentID used for AWS sourced credentials. This should start with "AWS".// One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question.//// Important: If you accept a credential configuration (credential// JSON/File/Stream) from an external source for authentication to Google// Cloud Platform, you must validate it before providing it to any Google// API or library. Providing an unvalidated credential configuration to// Google APIs can compromise the security of your systems and data. For// more information, refer to [Validate credential configurations from// external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).EnvironmentIDstring `json:"environment_id"`// RegionURL is the metadata URL to retrieve the region from for EC2 AWS credentials.RegionURLstring `json:"region_url"`// RegionalCredVerificationURL is the AWS regional credential verification URL, will default to// "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" if not provided."RegionalCredVerificationURLstring `json:"regional_cred_verification_url"`// IMDSv2SessionTokenURL is the URL to retrieve the session token when using IMDSv2 in AWS.IMDSv2SessionTokenURLstring `json:"imdsv2_session_token_url"`// Format is the format type for the subject token. Used for File and URL sourced credentials. Expected values are "text" or "json".FormatFormat `json:"format"`}CredentialSource stores the information necessary to retrieve the credentials for the STS exchange.
typeExecutableConfig¶
type ExecutableConfig struct {// Command is the the full command to run to retrieve the subject token.// This can include arguments. Must be an absolute path for the program. Required.Commandstring `json:"command"`// TimeoutMillis is the timeout duration, in milliseconds. Defaults to 30000 milliseconds when not provided. Optional.TimeoutMillis *int `json:"timeout_millis"`// OutputFile is the absolute path to the output file where the executable will cache the response.// If specified the auth libraries will first check this location before running the executable. Optional.OutputFilestring `json:"output_file"`}ExecutableConfig contains information needed for executable sourced credentials.
typeFormat¶
type Format struct {// Type should be either "text" or "json". This determines whether the file or URL sourced credentials// expect a simple text subject token or if the subject token will be contained in a JSON object.// When not provided "text" type is assumed.Typestring `json:"type"`// SubjectTokenFieldName is only required for JSON format. This is the field name that the credentials will check// for the subject token in the file or URL response. This would be "access_token" for azure.SubjectTokenFieldNamestring `json:"subject_token_field_name"`}Format contains information needed to retrieve a subject token for URL or File sourced credentials.
typeSubjectTokenSupplier¶
type SubjectTokenSupplier interface {// SubjectToken should return a valid subject token or an error.// The external account token source does not cache the returned subject token, so caching// logic should be implemented in the supplier to prevent multiple requests for the same subject token.SubjectToken(ctxcontext.Context, optionsSupplierOptions) (string,error)}SubjectTokenSupplier can be used to supply a subject token to exchange for a GCP access token.
typeSupplierOptions¶
type SupplierOptions struct {// Audience is the requested audience for the external account credential.Audiencestring// Subject token type is the requested subject token type for the external account credential. Expected values include:// “urn:ietf:params:oauth:token-type:jwt”// “urn:ietf:params:oauth:token-type:id-token”// “urn:ietf:params:oauth:token-type:saml2”// “urn:ietf:params:aws:token-type:aws4_request”SubjectTokenTypestring}SupplierOptions contains information about the requested subject token or AWS security credentials from theGoogle external account credential.
Source Files