impersonate
package
This package is not in the latest version of its module.
Details
Validgo.mod file
The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
- Redistributable license
Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
- Tagged version
Modules with tagged versions give importers more predictable builds.
Stable versionWhen a project reaches major version v1 it is considered stable.
- Learn more about best practices
Repository
Links
Open Source Insights
Documentation¶
Overview¶
Package impersonate is used to impersonate Google Credentials.
Required IAM roles¶
In order to impersonate a service account the base service account must havethe Service Account Token Creator role, roles/iam.serviceAccountTokenCreator,on the service account being impersonated. Seehttps://cloud.google.com/iam/docs/understanding-service-accounts.
Optionally, delegates can be used during impersonation if the base serviceaccount lacks the token creator role on the target. When using delegates,each service account must be granted roles/iam.serviceAccountTokenCreatoron the next service account in the delgation chain.
For example, if a base service account of SA1 is trying to impersonate targetservice account SA2 while using delegate service accounts DSA1 and DSA2,the following must be true:
- Base service account SA1 has roles/iam.serviceAccountTokenCreator onDSA1.
- DSA1 has roles/iam.serviceAccountTokenCreator on DSA2.
- DSA2 has roles/iam.serviceAccountTokenCreator on target SA2.
If the base credential is an authorized user and not a service account, or ifthe option WithQuotaProject is set, the target service account must have arole that grants the serviceusage.services.use permission such asroles/serviceusage.serviceUsageConsumer.
Index¶
Examples¶
Constants¶
This section is empty.
Variables¶
This section is empty.
Functions¶
funcCredentialsTokenSource¶
func CredentialsTokenSource(ctxcontext.Context, configCredentialsConfig, opts ...option.ClientOption) (oauth2.TokenSource,error)
CredentialsTokenSource returns an impersonated CredentialsTokenSource configured with the providedconfig and using credentials loaded from Application Default Credentials asthe base credentials.
Example (AdminUser)¶
package mainimport ("context""log"admin "google.golang.org/api/admin/directory/v1""google.golang.org/api/impersonate""google.golang.org/api/option")func main() {ctx := context.Background()// Base credentials sourced from ADC or provided client options.ts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{TargetPrincipal: "foo@project-id.iam.gserviceaccount.com",Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"},// Optionally supply delegates.Delegates: []string{"bar@project-id.iam.gserviceaccount.com"},// Specify user to impersonateSubject: "admin@example.com",})if err != nil {log.Fatal(err)}// Pass an impersonated credential to any function that takes client// options.client, err := admin.NewService(ctx, option.WithTokenSource(ts))if err != nil {log.Fatal(err)}// Use your client that is authenticated with impersonated credentials to// make requests.client.Groups.Delete("...")}Example (ServiceAccount)¶
ctx := context.Background()// Base credentials sourced from ADC or provided client options.ts, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{TargetPrincipal: "foo@project-id.iam.gserviceaccount.com",Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"},// Optionally supply delegates.Delegates: []string{"bar@project-id.iam.gserviceaccount.com"},})if err != nil {log.Fatal(err)}// Pass an impersonated credential to any function that takes client// options.client, err := secretmanager.NewService(ctx, option.WithTokenSource(ts))if err != nil {log.Fatal(err)}// Use your client that is authenticated with impersonated credentials to// make requests.client.Projects.Secrets.Get("...")funcIDTokenSource¶
func IDTokenSource(ctxcontext.Context, configIDTokenConfig, opts ...option.ClientOption) (oauth2.TokenSource,error)
IDTokenSource creates an impersonated TokenSource that returns ID tokensconfigured with the provided config and using credentials loaded fromApplication Default Credentials as the base credentials. The tokens providedby the source are valid for one hour and are automatically refreshed.
Example¶
package mainimport ("context""log""google.golang.org/api/impersonate""google.golang.org/api/option""google.golang.org/api/transport")func main() {ctx := context.Background()// Base credentials sourced from ADC or provided client options.ts, err := impersonate.IDTokenSource(ctx, impersonate.IDTokenConfig{Audience: "http://example.com/",TargetPrincipal: "foo@project-id.iam.gserviceaccount.com",IncludeEmail: true,// Optionally supply delegates.Delegates: []string{"bar@project-id.iam.gserviceaccount.com"},})if err != nil {log.Fatal(err)}// Pass an impersonated credential to any function that takes client// options.client, _, err := transport.NewHTTPClient(ctx, option.WithTokenSource(ts))if err != nil {log.Fatal(err)}// Use your client that is authenticated with impersonated credentials to// make requests.client.Get("http://example.com/")}Types¶
typeCredentialsConfig¶
type CredentialsConfig struct {// TargetPrincipal is the email address of the service account to// impersonate. Required.TargetPrincipalstring// Scopes that the impersonated credential should have. Required.Scopes []string// Delegates are the service account email addresses in a delegation chain.// Each service account must be granted roles/iam.serviceAccountTokenCreator// on the next service account in the chain. Optional.Delegates []string// Lifetime is the amount of time until the impersonated token expires. If// unset the token's lifetime will be one hour and be automatically// refreshed. If set the token may have a max lifetime of one hour and will// not be refreshed. Service accounts that have been added to an org policy// with constraints/iam.allowServiceAccountCredentialLifetimeExtension may// request a token lifetime of up to 12 hours. Optional.Lifetimetime.Duration// Subject is the sub field of a JWT. This field should only be set if you// wish to impersonate as a user. This feature is useful when using domain// wide delegation. Optional.Subjectstring}CredentialsConfig for generating impersonated credentials.
typeIDTokenConfig¶
type IDTokenConfig struct {// Audience is the `aud` field for the token, such as an API endpoint the// token will grant access to. Required.Audiencestring// TargetPrincipal is the email address of the service account to// impersonate. Required.TargetPrincipalstring// IncludeEmail includes the service account's email in the token. The// resulting token will include both an `email` and `email_verified`// claim.IncludeEmailbool// Delegates are the service account email addresses in a delegation chain.// Each service account must be granted roles/iam.serviceAccountTokenCreator// on the next service account in the chain. Optional.Delegates []string}IDTokenConfig for generating an impersonated ID token.
Source Files