// Copyright 2020 Google LLC. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // Code generated file. DO NOT EDIT. // Package sts provides access to the Security Token Service API. // // For product documentation, see: http://cloud.google.com/iam/docs/workload-identity-federation // // Creating a client // // Usage example: // // import "google.golang.org/api/sts/v1beta" // ... // ctx := context.Background() // stsService, err := sts.NewService(ctx) // // In this example, Google Application Default Credentials are used for authentication. // // For information on how to create and obtain Application Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials. // // Other authentication options // // To use an API key for authentication (note: some APIs do not support API keys), use option.WithAPIKey: // // stsService, err := sts.NewService(ctx, option.WithAPIKey("AIza...")) // // To use an OAuth token (e.g., a user token obtained via a three-legged OAuth flow), use option.WithTokenSource: // // config := &oauth2.Config{...} // // ... // token, err := config.Exchange(ctx, ...) // stsService, err := sts.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token))) // // See https://godoc.org/google.golang.org/api/option/ for details on options. package sts // import "google.golang.org/api/sts/v1beta" import ( "bytes" "context" "encoding/json" "errors" "fmt" "io" "net/http" "net/url" "strconv" "strings" googleapi "google.golang.org/api/googleapi" gensupport "google.golang.org/api/internal/gensupport" option "google.golang.org/api/option" internaloption "google.golang.org/api/option/internaloption" htransport "google.golang.org/api/transport/http" ) // Always reference these packages, just in case the auto-generated code // below doesn't. var _ = bytes.NewBuffer var _ = strconv.Itoa var _ = fmt.Sprintf var _ = json.NewDecoder var _ = io.Copy var _ = url.Parse var _ = gensupport.MarshalJSON var _ = googleapi.Version var _ = errors.New var _ = strings.Replace var _ = context.Canceled var _ = internaloption.WithDefaultEndpoint const apiId = "sts:v1beta" const apiName = "sts" const apiVersion = "v1beta" const basePath = "https://sts.googleapis.com/" const mtlsBasePath = "https://sts.mtls.googleapis.com/" // NewService creates a new Service. func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error) { opts = append(opts, internaloption.WithDefaultEndpoint(basePath)) opts = append(opts, internaloption.WithDefaultMTLSEndpoint(mtlsBasePath)) client, endpoint, err := htransport.NewClient(ctx, opts...) if err != nil { return nil, err } s, err := New(client) if err != nil { return nil, err } if endpoint != "" { s.BasePath = endpoint } return s, nil } // New creates a new Service. It uses the provided http.Client for requests. // // Deprecated: please use NewService instead. // To provide a custom HTTP client, use option.WithHTTPClient. // If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead. func New(client *http.Client) (*Service, error) { if client == nil { return nil, errors.New("client is nil") } s := &Service{client: client, BasePath: basePath} s.V1beta = NewV1betaService(s) return s, nil } type Service struct { client *http.Client BasePath string // API endpoint base URL UserAgent string // optional additional User-Agent fragment V1beta *V1betaService } func (s *Service) userAgent() string { if s.UserAgent == "" { return googleapi.UserAgent } return googleapi.UserAgent + " " + s.UserAgent } func NewV1betaService(s *Service) *V1betaService { rs := &V1betaService{s: s} return rs } type V1betaService struct { s *Service } // GoogleIdentityStsV1betaExchangeTokenRequest: Request message for // ExchangeToken. type GoogleIdentityStsV1betaExchangeTokenRequest struct { // Audience: The full resource name of the identity provider; for // example: // `https://iam.googleapis.com/projects/{PROJECT_ID}/workloadIdentityPool // s/{POOL_ID}/providers/{PROVIDER_ID}`. Required when exchanging an // external credential for a Google access token. Audience string `json:"audience,omitempty"` // GrantType: Required. The grant type. Must be // `urn:ietf:params:oauth:grant-type:token-exchange`, which indicates a // token exchange is requested. GrantType string `json:"grantType,omitempty"` // Options: A set of features that Security Token Service supports, in // addition to the standard OAuth 2.0 token exchange, formatted as a // serialized JSON object of Options. Options string `json:"options,omitempty"` // RequestedTokenType: Required. An identifier for the type of requested // security token. Must be // `urn:ietf:params:oauth:token-type:access_token`. RequestedTokenType string `json:"requestedTokenType,omitempty"` // Scope: The OAuth 2.0 scopes to include on the resulting access token, // formatted as a list of space-delimited, case-sensitive strings. // Required when exchanging an external credential for a Google access // token. Scope string `json:"scope,omitempty"` // SubjectToken: Required. The input token. This is a either an external // credential issued by a WorkloadIdentityPoolProvider, or a short-lived // access token issued by Google. If the token is an OIDC JWT, it must // use the JWT format defined in [RFC // 7523](https://tools.ietf.org/html/rfc7523), and `subject_token_type` // must be `urn:ietf:params:oauth:token-type:jwt`. The following headers // are required: - **`kid`**: The identifier of the signing key securing // the JWT. - **`alg`**: The cryptographic algorithm securing the JWT. // Must be `RS256`. The following payload fields are required. For more // information, see [RFC 7523, Section // 3](https://tools.ietf.org/html/rfc7523#section-3). - **`iss`**: The // issuer of the token. The issuer must provide a discovery document at // `/.well-known/openid-configuration`, formatted according to section // 4.2 of the [OIDC 1.0 Discovery // specification](https://openid.net/specs/openid-connect-discovery-1_0.h // tml#ProviderConfigurationResponse). - **`iat`**: The issue time, in // seconds, since epoch. Must be in the past. - **`exp`**: The // expiration time, in seconds, since epoch. Must be fewer than 48 hours // after `iat`. Shorter expiration times are more. secure. If possible, // we recommend setting an expiration time fewer than 6 hours. - // **`sub`**: The identity asserted in the JWT. - **`aud`**: Configured // by the mapper policy. The default value is the service account's // unique ID. Example header: ``` { "alg": "RS256", "kid": "us-east-11" // } ``` Example payload: ``` { "iss": "https://accounts.google.com", // "iat": 1517963104, "exp": 1517966704, "aud": "113475438248934895348", // "sub": "113475438248934895348", "my_claims": { "additional_claim": // "value" } } ``` If `subject_token` is an AWS token, it must be a // serialized, // [signed](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api // _requests.html) request to the AWS // [`GetCallerIdentity()`](https://docs.aws.amazon.com/STS/latest/APIRefe // rence/API_GetCallerIdentity) method. Format the request as // URL-encoded JSON, and set the `subject_token_type` parameter to // `urn:ietf:params:aws:token-type:aws4_request`. The following // parameters are required: - **`url`**: The URL of the AWS STS endpoint // for `GetCallerIdentity()`, such as // `https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15 // `. Regional endpoints are also supported. - **`method`:** The HTTP // request method: `POST`. - **`headers`**: The HTTP request headers, // which must include: - **`Authorization`**: The request signature. - // **`x-amz-date`**`: The time you will send the request, formatted as // an [ISO8601 // Basic](https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.ht // ml#sigv4_elements_date) string. This is typically set to the current // time, and used to prevent replay attacks. - **`host`**: The hostname // of the `url` field; for example, `sts.amazonaws.com`. - // **`x-goog-cloud-target-resource`**: The full, canonical resource name // of the WorkloadIdentityPoolProvider, with or without the HTTPS // prefix. For example: ``` // //iam.googleapis.com/projects//locations//workloadIdentityPools//provi // ders/ // https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ ``` Signing this header as part of the signature is recommended to ensure data integrity. If you are using temporary security credentials provided by AWS, you must also include the header `x-amz-security-token`, with the value `[SESSION_TOKEN]`. The following is an example of a signed, serialized request: ``` { "headers":[ {"key": "x-amz-date", "value": "20200815T015049Z"}, {"key": "Authorization", "value": "AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$signature"}, {"key": "x-goog-cloud-target-resource", "value": "//iam.googleapis.com/projects//locations//workloadIdentityPools//providers/"}, {"key": "host", "value": "sts.amazonaws.com"} . ], "method":"POST", "url":"https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" } ``` You can also use a Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes applied, such as an AccessBoundary. In this case, set `subject_token_type` to `urn:ietf:params:oauth:token-type:access_token`. Applying additional security attributes on access tokens that already contain security attributes is not // allowed. SubjectToken string `json:"subjectToken,omitempty"` // SubjectTokenType: Required. An identifier that indicates the type of // the security token in the `subject_token` parameter. Supported values // are `urn:ietf:params:oauth:token-type:jwt`, // `urn:ietf:params:aws:token-type:aws4_request` and // `urn:ietf:params:oauth:token-type:access_token`. SubjectTokenType string `json:"subjectTokenType,omitempty"` // ForceSendFields is a list of field names (e.g. "Audience") to // unconditionally include in API requests. By default, fields with // empty values are omitted from API requests. However, any non-pointer, // non-interface field appearing in ForceSendFields will be sent to the // server regardless of whether the field is empty or not. This may be // used to include empty fields in Patch requests. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "Audience") to include in // API requests with the JSON null value. By default, fields with empty // values are omitted from API requests. However, any field with an // empty value appearing in NullFields will be sent to the server as // null. It is an error if a field in this list has a non-empty value. // This may be used to include null fields in Patch requests. NullFields []string `json:"-"` } func (s *GoogleIdentityStsV1betaExchangeTokenRequest) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityStsV1betaExchangeTokenRequest raw := NoMethod(*s) return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) } // GoogleIdentityStsV1betaExchangeTokenResponse: Response message for // ExchangeToken. type GoogleIdentityStsV1betaExchangeTokenResponse struct { // AccessToken: An OAuth 2.0 security token, issued by Google, in // response to the token exchange request. AccessToken string `json:"access_token,omitempty"` // ExpiresIn: The expiration time of `access_token`, in seconds, from // the time of issuance. This field is absent when the `subject_token` // in the request is a Google-issued, short-lived access token. In this // case, the expiration time of the `access_token` is the same as the // `subject_token`. ExpiresIn int64 `json:"expires_in,omitempty"` // IssuedTokenType: The token type. Always matches the value of // `requested_token_type` from the request. IssuedTokenType string `json:"issued_token_type,omitempty"` // TokenType: The type of `access_token`. Always has the value `Bearer`. TokenType string `json:"token_type,omitempty"` // ServerResponse contains the HTTP response code and headers from the // server. googleapi.ServerResponse `json:"-"` // ForceSendFields is a list of field names (e.g. "AccessToken") to // unconditionally include in API requests. By default, fields with // empty values are omitted from API requests. However, any non-pointer, // non-interface field appearing in ForceSendFields will be sent to the // server regardless of whether the field is empty or not. This may be // used to include empty fields in Patch requests. ForceSendFields []string `json:"-"` // NullFields is a list of field names (e.g. "AccessToken") to include // in API requests with the JSON null value. By default, fields with // empty values are omitted from API requests. However, any field with // an empty value appearing in NullFields will be sent to the server as // null. It is an error if a field in this list has a non-empty value. // This may be used to include null fields in Patch requests. NullFields []string `json:"-"` } func (s *GoogleIdentityStsV1betaExchangeTokenResponse) MarshalJSON() ([]byte, error) { type NoMethod GoogleIdentityStsV1betaExchangeTokenResponse raw := NoMethod(*s) return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) } // method id "sts.token": type V1betaTokenCall struct { s *Service googleidentitystsv1betaexchangetokenrequest *GoogleIdentityStsV1betaExchangeTokenRequest urlParams_ gensupport.URLParams ctx_ context.Context header_ http.Header } // Token: Exchanges a credential for a Google OAuth 2.0 access token. // The token asserts an external identity within a WorkloadIdentityPool, // or applies an Access Boundary on a Google access token. func (r *V1betaService) Token(googleidentitystsv1betaexchangetokenrequest *GoogleIdentityStsV1betaExchangeTokenRequest) *V1betaTokenCall { c := &V1betaTokenCall{s: r.s, urlParams_: make(gensupport.URLParams)} c.googleidentitystsv1betaexchangetokenrequest = googleidentitystsv1betaexchangetokenrequest return c } // Fields allows partial responses to be retrieved. See // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse // for more information. func (c *V1betaTokenCall) Fields(s ...googleapi.Field) *V1betaTokenCall { c.urlParams_.Set("fields", googleapi.CombineFields(s)) return c } // Context sets the context to be used in this call's Do method. Any // pending HTTP request will be aborted if the provided context is // canceled. func (c *V1betaTokenCall) Context(ctx context.Context) *V1betaTokenCall { c.ctx_ = ctx return c } // Header returns an http.Header that can be modified by the caller to // add HTTP headers to the request. func (c *V1betaTokenCall) Header() http.Header { if c.header_ == nil { c.header_ = make(http.Header) } return c.header_ } func (c *V1betaTokenCall) doRequest(alt string) (*http.Response, error) { reqHeaders := make(http.Header) reqHeaders.Set("x-goog-api-client", "gl-go/"+gensupport.GoVersion()+" gdcl/20200912") for k, v := range c.header_ { reqHeaders[k] = v } reqHeaders.Set("User-Agent", c.s.userAgent()) var body io.Reader = nil body, err := googleapi.WithoutDataWrapper.JSONReader(c.googleidentitystsv1betaexchangetokenrequest) if err != nil { return nil, err } reqHeaders.Set("Content-Type", "application/json") c.urlParams_.Set("alt", alt) c.urlParams_.Set("prettyPrint", "false") urls := googleapi.ResolveRelative(c.s.BasePath, "v1beta/token") urls += "?" + c.urlParams_.Encode() req, err := http.NewRequest("POST", urls, body) if err != nil { return nil, err } req.Header = reqHeaders return gensupport.SendRequest(c.ctx_, c.s.client, req) } // Do executes the "sts.token" call. // Exactly one of *GoogleIdentityStsV1betaExchangeTokenResponse or error // will be non-nil. Any non-2xx status code is an error. Response // headers are in either // *GoogleIdentityStsV1betaExchangeTokenResponse.ServerResponse.Header // or (if a response was returned at all) in // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check // whether the returned error was because http.StatusNotModified was // returned. func (c *V1betaTokenCall) Do(opts ...googleapi.CallOption) (*GoogleIdentityStsV1betaExchangeTokenResponse, error) { gensupport.SetOptions(c.urlParams_, opts...) res, err := c.doRequest("json") if res != nil && res.StatusCode == http.StatusNotModified { if res.Body != nil { res.Body.Close() } return nil, &googleapi.Error{ Code: res.StatusCode, Header: res.Header, } } if err != nil { return nil, err } defer googleapi.CloseBody(res) if err := googleapi.CheckResponse(res); err != nil { return nil, err } ret := &GoogleIdentityStsV1betaExchangeTokenResponse{ ServerResponse: googleapi.ServerResponse{ Header: res.Header, HTTPStatusCode: res.StatusCode, }, } target := &ret if err := gensupport.DecodeResponse(target, res); err != nil { return nil, err } return ret, nil // { // "description": "Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a WorkloadIdentityPool, or applies an Access Boundary on a Google access token.", // "flatPath": "v1beta/token", // "httpMethod": "POST", // "id": "sts.token", // "parameterOrder": [], // "parameters": {}, // "path": "v1beta/token", // "request": { // "$ref": "GoogleIdentityStsV1betaExchangeTokenRequest" // }, // "response": { // "$ref": "GoogleIdentityStsV1betaExchangeTokenResponse" // } // } }