| // Copyright 2021 Google LLC. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| // Code generated file. DO NOT EDIT. |
| |
| // Package sts provides access to the Security Token Service API. |
| // |
| // For product documentation, see: http://cloud.google.com/iam/docs/workload-identity-federation |
| // |
| // Creating a client |
| // |
| // Usage example: |
| // |
| // import "google.golang.org/api/sts/v1beta" |
| // ... |
| // ctx := context.Background() |
| // stsService, err := sts.NewService(ctx) |
| // |
| // In this example, Google Application Default Credentials are used for authentication. |
| // |
| // For information on how to create and obtain Application Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials. |
| // |
| // Other authentication options |
| // |
| // To use an API key for authentication (note: some APIs do not support API keys), use option.WithAPIKey: |
| // |
| // stsService, err := sts.NewService(ctx, option.WithAPIKey("AIza...")) |
| // |
| // To use an OAuth token (e.g., a user token obtained via a three-legged OAuth flow), use option.WithTokenSource: |
| // |
| // config := &oauth2.Config{...} |
| // // ... |
| // token, err := config.Exchange(ctx, ...) |
| // stsService, err := sts.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token))) |
| // |
| // See https://godoc.org/google.golang.org/api/option/ for details on options. |
| package sts // import "google.golang.org/api/sts/v1beta" |
| |
| import ( |
| "bytes" |
| "context" |
| "encoding/json" |
| "errors" |
| "fmt" |
| "io" |
| "net/http" |
| "net/url" |
| "strconv" |
| "strings" |
| |
| googleapi "google.golang.org/api/googleapi" |
| gensupport "google.golang.org/api/internal/gensupport" |
| option "google.golang.org/api/option" |
| internaloption "google.golang.org/api/option/internaloption" |
| htransport "google.golang.org/api/transport/http" |
| ) |
| |
| // Always reference these packages, just in case the auto-generated code |
| // below doesn't. |
| var _ = bytes.NewBuffer |
| var _ = strconv.Itoa |
| var _ = fmt.Sprintf |
| var _ = json.NewDecoder |
| var _ = io.Copy |
| var _ = url.Parse |
| var _ = gensupport.MarshalJSON |
| var _ = googleapi.Version |
| var _ = errors.New |
| var _ = strings.Replace |
| var _ = context.Canceled |
| var _ = internaloption.WithDefaultEndpoint |
| |
| const apiId = "sts:v1beta" |
| const apiName = "sts" |
| const apiVersion = "v1beta" |
| const basePath = "https://sts.googleapis.com/" |
| const mtlsBasePath = "https://sts.mtls.googleapis.com/" |
| |
| // NewService creates a new Service. |
| func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error) { |
| opts = append(opts, internaloption.WithDefaultEndpoint(basePath)) |
| opts = append(opts, internaloption.WithDefaultMTLSEndpoint(mtlsBasePath)) |
| client, endpoint, err := htransport.NewClient(ctx, opts...) |
| if err != nil { |
| return nil, err |
| } |
| s, err := New(client) |
| if err != nil { |
| return nil, err |
| } |
| if endpoint != "" { |
| s.BasePath = endpoint |
| } |
| return s, nil |
| } |
| |
| // New creates a new Service. It uses the provided http.Client for requests. |
| // |
| // Deprecated: please use NewService instead. |
| // To provide a custom HTTP client, use option.WithHTTPClient. |
| // If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead. |
| func New(client *http.Client) (*Service, error) { |
| if client == nil { |
| return nil, errors.New("client is nil") |
| } |
| s := &Service{client: client, BasePath: basePath} |
| s.V1beta = NewV1betaService(s) |
| return s, nil |
| } |
| |
| type Service struct { |
| client *http.Client |
| BasePath string // API endpoint base URL |
| UserAgent string // optional additional User-Agent fragment |
| |
| V1beta *V1betaService |
| } |
| |
| func (s *Service) userAgent() string { |
| if s.UserAgent == "" { |
| return googleapi.UserAgent |
| } |
| return googleapi.UserAgent + " " + s.UserAgent |
| } |
| |
| func NewV1betaService(s *Service) *V1betaService { |
| rs := &V1betaService{s: s} |
| return rs |
| } |
| |
| type V1betaService struct { |
| s *Service |
| } |
| |
| // GoogleIdentityStsV1betaExchangeTokenRequest: Request message for |
| // ExchangeToken. |
| type GoogleIdentityStsV1betaExchangeTokenRequest struct { |
| // Audience: The full resource name of the identity provider. For |
| // example, |
| // `//iam.googleapis.com/projects//workloadIdentityPools//providers/`. |
| // Required when exchanging an external credential for a Google access |
| // token. |
| Audience string `json:"audience,omitempty"` |
| |
| // GrantType: Required. The grant type. Must be |
| // `urn:ietf:params:oauth:grant-type:token-exchange`, which indicates a |
| // token exchange. |
| GrantType string `json:"grantType,omitempty"` |
| |
| // Options: A set of features that Security Token Service supports, in |
| // addition to the standard OAuth 2.0 token exchange, formatted as a |
| // serialized JSON object of Options. |
| Options string `json:"options,omitempty"` |
| |
| // RequestedTokenType: Required. The type of security token. Must be |
| // `urn:ietf:params:oauth:token-type:access_token`, which indicates an |
| // OAuth 2.0 access token. |
| RequestedTokenType string `json:"requestedTokenType,omitempty"` |
| |
| // Scope: The OAuth 2.0 scopes to include on the resulting access token, |
| // formatted as a list of space-delimited, case-sensitive strings. |
| // Required when exchanging an external credential for a Google access |
| // token. |
| Scope string `json:"scope,omitempty"` |
| |
| // SubjectToken: Required. The input token. This token is a either an |
| // external credential issued by a workload identity pool provider, or a |
| // short-lived access token issued by Google. If the token is an OIDC |
| // JWT, it must use the JWT format defined in RFC 7523 |
| // (https://tools.ietf.org/html/rfc7523), and the `subject_token_type` |
| // must be `urn:ietf:params:oauth:token-type:jwt`. The following headers |
| // are required: - `kid`: The identifier of the signing key securing the |
| // JWT. - `alg`: The cryptographic algorithm securing the JWT. Must be |
| // `RS256`. The following payload fields are required. For more |
| // information, see RFC 7523, Section 3 |
| // (https://tools.ietf.org/html/rfc7523#section-3): - `iss`: The issuer |
| // of the token. The issuer must provide a discovery document at the URL |
| // `/.well-known/openid-configuration`, where `` is the value of this |
| // field. The document must be formatted according to section 4.2 of the |
| // OIDC 1.0 Discovery specification |
| // (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). |
| // - `iat`: The issue time, in seconds, since the Unix epoch. Must be in |
| // the past. - `exp`: The expiration time, in seconds, since the Unix |
| // epoch. Must be less than 48 hours after `iat`. Shorter expiration |
| // times are more secure. If possible, we recommend setting an |
| // expiration time less than 6 hours. - `sub`: The identity asserted in |
| // the JWT. - `aud`: Configured by the mapper policy. The default value |
| // is the service account's unique ID. Example header: ``` { "alg": |
| // "RS256", "kid": "us-east-11" } ``` Example payload: ``` { "iss": |
| // "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, |
| // "aud": "113475438248934895348", "sub": "113475438248934895348", |
| // "my_claims": { "additional_claim": "value" } } ``` If `subject_token` |
| // is for AWS, it must be a serialized `GetCallerIdentity` token. This |
| // token contains the same information as a request to the AWS |
| // `GetCallerIdentity()` |
| // (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity) |
| // method, as well as the AWS signature |
| // (https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) |
| // for the request information. Use Signature Version 4. Format the |
| // request as URL-encoded JSON, and set the `subject_token_type` |
| // parameter to `urn:ietf:params:aws:token-type:aws4_request`. The |
| // following parameters are required: - `url`: The URL of the AWS STS |
| // endpoint for `GetCallerIdentity()`, such as |
| // `https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15 |
| // `. Regional endpoints are also supported. - `method`: The HTTP |
| // request method: `POST`. - `headers`: The HTTP request headers, which |
| // must include: - `Authorization`: The request signature. - |
| // `x-amz-date`: The time you will send the request, formatted as an |
| // ISO8601 Basic |
| // (https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#sigv4_elements_date) |
| // string. This value is typically set to the current time and is used |
| // to help prevent replay attacks. - `host`: The hostname of the `url` |
| // field; for example, `sts.amazonaws.com`. - |
| // `x-goog-cloud-target-resource`: The full, canonical resource name of |
| // the workload identity pool provider, with or without an `https:` |
| // prefix. To help ensure data integrity, we recommend including this |
| // header in the `SignedHeaders` field of the signed request. For |
| // example: |
| // //iam.googleapis.com/projects//locations//workloadIdentityPools//provi |
| // ders/ |
| // https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ |
| // If you are using temporary security credentials provided by AWS, you |
| // must also include the header `x-amz-security-token`, with the value |
| // set to the session token. The following example shows a |
| // `GetCallerIdentity` token: ``` { "headers": [ {"key": "x-amz-date", |
| // "value": "20200815T015049Z"}, {"key": "Authorization", "value": |
| // "AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-dat |
| // e;x-goog-cloud-target-resource,+Signature=$signature"}, {"key": |
| // "x-goog-cloud-target-resource", "value": |
| // "//iam.googleapis.com/projects//locations//workloadIdentityPools//prov |
| // iders/"}, {"key": "host", "value": "sts.amazonaws.com"} . ], |
| // "method": "POST", "url": |
| // "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15 |
| // " } ``` You can also use a Google-issued OAuth 2.0 access token with |
| // this field to obtain an access token with new security attributes |
| // applied, such as a Credential Access Boundary. In this case, set |
| // `subject_token_type` to |
| // `urn:ietf:params:oauth:token-type:access_token`. If an access token |
| // already contains security attributes, you cannot apply additional |
| // security attributes. |
| SubjectToken string `json:"subjectToken,omitempty"` |
| |
| // SubjectTokenType: Required. An identifier that indicates the type of |
| // the security token in the `subject_token` parameter. Supported values |
| // are `urn:ietf:params:oauth:token-type:jwt`, |
| // `urn:ietf:params:aws:token-type:aws4_request`, and |
| // `urn:ietf:params:oauth:token-type:access_token`. |
| SubjectTokenType string `json:"subjectTokenType,omitempty"` |
| |
| // ForceSendFields is a list of field names (e.g. "Audience") to |
| // unconditionally include in API requests. By default, fields with |
| // empty values are omitted from API requests. However, any non-pointer, |
| // non-interface field appearing in ForceSendFields will be sent to the |
| // server regardless of whether the field is empty or not. This may be |
| // used to include empty fields in Patch requests. |
| ForceSendFields []string `json:"-"` |
| |
| // NullFields is a list of field names (e.g. "Audience") to include in |
| // API requests with the JSON null value. By default, fields with empty |
| // values are omitted from API requests. However, any field with an |
| // empty value appearing in NullFields will be sent to the server as |
| // null. It is an error if a field in this list has a non-empty value. |
| // This may be used to include null fields in Patch requests. |
| NullFields []string `json:"-"` |
| } |
| |
| func (s *GoogleIdentityStsV1betaExchangeTokenRequest) MarshalJSON() ([]byte, error) { |
| type NoMethod GoogleIdentityStsV1betaExchangeTokenRequest |
| raw := NoMethod(*s) |
| return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) |
| } |
| |
| // GoogleIdentityStsV1betaExchangeTokenResponse: Response message for |
| // ExchangeToken. |
| type GoogleIdentityStsV1betaExchangeTokenResponse struct { |
| // AccessToken: An OAuth 2.0 security token, issued by Google, in |
| // response to the token exchange request. Tokens can vary in size, |
| // depending in part on the size of mapped claims, up to a maximum of |
| // 12288 bytes (12 KB). Google reserves the right to change the token |
| // size and the maximum length at any time. |
| AccessToken string `json:"access_token,omitempty"` |
| |
| // ExpiresIn: The amount of time, in seconds, between the time when the |
| // access token was issued and the time when the access token will |
| // expire. This field is absent when the `subject_token` in the request |
| // is a Google-issued, short-lived access token. In this case, the |
| // access token has the same expiration time as the `subject_token`. |
| ExpiresIn int64 `json:"expires_in,omitempty"` |
| |
| // IssuedTokenType: The token type. Always matches the value of |
| // `requested_token_type` from the request. |
| IssuedTokenType string `json:"issued_token_type,omitempty"` |
| |
| // TokenType: The type of access token. Always has the value `Bearer`. |
| TokenType string `json:"token_type,omitempty"` |
| |
| // ServerResponse contains the HTTP response code and headers from the |
| // server. |
| googleapi.ServerResponse `json:"-"` |
| |
| // ForceSendFields is a list of field names (e.g. "AccessToken") to |
| // unconditionally include in API requests. By default, fields with |
| // empty values are omitted from API requests. However, any non-pointer, |
| // non-interface field appearing in ForceSendFields will be sent to the |
| // server regardless of whether the field is empty or not. This may be |
| // used to include empty fields in Patch requests. |
| ForceSendFields []string `json:"-"` |
| |
| // NullFields is a list of field names (e.g. "AccessToken") to include |
| // in API requests with the JSON null value. By default, fields with |
| // empty values are omitted from API requests. However, any field with |
| // an empty value appearing in NullFields will be sent to the server as |
| // null. It is an error if a field in this list has a non-empty value. |
| // This may be used to include null fields in Patch requests. |
| NullFields []string `json:"-"` |
| } |
| |
| func (s *GoogleIdentityStsV1betaExchangeTokenResponse) MarshalJSON() ([]byte, error) { |
| type NoMethod GoogleIdentityStsV1betaExchangeTokenResponse |
| raw := NoMethod(*s) |
| return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) |
| } |
| |
| // method id "sts.token": |
| |
| type V1betaTokenCall struct { |
| s *Service |
| googleidentitystsv1betaexchangetokenrequest *GoogleIdentityStsV1betaExchangeTokenRequest |
| urlParams_ gensupport.URLParams |
| ctx_ context.Context |
| header_ http.Header |
| } |
| |
| // Token: Exchanges a credential for a Google OAuth 2.0 access token. |
| // The token asserts an external identity within a workload identity |
| // pool, or it applies a Credential Access Boundary to a Google access |
| // token. When you call this method, do not send the `Authorization` |
| // HTTP header in the request. This method does not require the |
| // `Authorization` header, and using the header can cause the request to |
| // fail. |
| func (r *V1betaService) Token(googleidentitystsv1betaexchangetokenrequest *GoogleIdentityStsV1betaExchangeTokenRequest) *V1betaTokenCall { |
| c := &V1betaTokenCall{s: r.s, urlParams_: make(gensupport.URLParams)} |
| c.googleidentitystsv1betaexchangetokenrequest = googleidentitystsv1betaexchangetokenrequest |
| return c |
| } |
| |
| // Fields allows partial responses to be retrieved. See |
| // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse |
| // for more information. |
| func (c *V1betaTokenCall) Fields(s ...googleapi.Field) *V1betaTokenCall { |
| c.urlParams_.Set("fields", googleapi.CombineFields(s)) |
| return c |
| } |
| |
| // Context sets the context to be used in this call's Do method. Any |
| // pending HTTP request will be aborted if the provided context is |
| // canceled. |
| func (c *V1betaTokenCall) Context(ctx context.Context) *V1betaTokenCall { |
| c.ctx_ = ctx |
| return c |
| } |
| |
| // Header returns an http.Header that can be modified by the caller to |
| // add HTTP headers to the request. |
| func (c *V1betaTokenCall) Header() http.Header { |
| if c.header_ == nil { |
| c.header_ = make(http.Header) |
| } |
| return c.header_ |
| } |
| |
| func (c *V1betaTokenCall) doRequest(alt string) (*http.Response, error) { |
| reqHeaders := make(http.Header) |
| reqHeaders.Set("x-goog-api-client", "gl-go/"+gensupport.GoVersion()+" gdcl/20210211") |
| for k, v := range c.header_ { |
| reqHeaders[k] = v |
| } |
| reqHeaders.Set("User-Agent", c.s.userAgent()) |
| var body io.Reader = nil |
| body, err := googleapi.WithoutDataWrapper.JSONReader(c.googleidentitystsv1betaexchangetokenrequest) |
| if err != nil { |
| return nil, err |
| } |
| reqHeaders.Set("Content-Type", "application/json") |
| c.urlParams_.Set("alt", alt) |
| c.urlParams_.Set("prettyPrint", "false") |
| urls := googleapi.ResolveRelative(c.s.BasePath, "v1beta/token") |
| urls += "?" + c.urlParams_.Encode() |
| req, err := http.NewRequest("POST", urls, body) |
| if err != nil { |
| return nil, err |
| } |
| req.Header = reqHeaders |
| return gensupport.SendRequest(c.ctx_, c.s.client, req) |
| } |
| |
| // Do executes the "sts.token" call. |
| // Exactly one of *GoogleIdentityStsV1betaExchangeTokenResponse or error |
| // will be non-nil. Any non-2xx status code is an error. Response |
| // headers are in either |
| // *GoogleIdentityStsV1betaExchangeTokenResponse.ServerResponse.Header |
| // or (if a response was returned at all) in |
| // error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check |
| // whether the returned error was because http.StatusNotModified was |
| // returned. |
| func (c *V1betaTokenCall) Do(opts ...googleapi.CallOption) (*GoogleIdentityStsV1betaExchangeTokenResponse, error) { |
| gensupport.SetOptions(c.urlParams_, opts...) |
| res, err := c.doRequest("json") |
| if res != nil && res.StatusCode == http.StatusNotModified { |
| if res.Body != nil { |
| res.Body.Close() |
| } |
| return nil, &googleapi.Error{ |
| Code: res.StatusCode, |
| Header: res.Header, |
| } |
| } |
| if err != nil { |
| return nil, err |
| } |
| defer googleapi.CloseBody(res) |
| if err := googleapi.CheckResponse(res); err != nil { |
| return nil, err |
| } |
| ret := &GoogleIdentityStsV1betaExchangeTokenResponse{ |
| ServerResponse: googleapi.ServerResponse{ |
| Header: res.Header, |
| HTTPStatusCode: res.StatusCode, |
| }, |
| } |
| target := &ret |
| if err := gensupport.DecodeResponse(target, res); err != nil { |
| return nil, err |
| } |
| return ret, nil |
| // { |
| // "description": "Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a Google access token. When you call this method, do not send the `Authorization` HTTP header in the request. This method does not require the `Authorization` header, and using the header can cause the request to fail.", |
| // "flatPath": "v1beta/token", |
| // "httpMethod": "POST", |
| // "id": "sts.token", |
| // "parameterOrder": [], |
| // "parameters": {}, |
| // "path": "v1beta/token", |
| // "request": { |
| // "$ref": "GoogleIdentityStsV1betaExchangeTokenRequest" |
| // }, |
| // "response": { |
| // "$ref": "GoogleIdentityStsV1betaExchangeTokenResponse" |
| // } |
| // } |
| |
| } |