| // Copyright 2023 Google LLC |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| package credentials |
| |
| import ( |
| "context" |
| "encoding/json" |
| "errors" |
| "fmt" |
| "net/url" |
| "strings" |
| "time" |
| |
| "cloud.google.com/go/auth" |
| "cloud.google.com/go/compute/metadata" |
| ) |
| |
| var ( |
| computeTokenMetadata = map[string]interface{}{ |
| "auth.google.tokenSource": "compute-metadata", |
| "auth.google.serviceAccount": "default", |
| } |
| computeTokenURI = "instance/service-accounts/default/token" |
| ) |
| |
| // computeTokenProvider creates a [cloud.google.com/go/auth.TokenProvider] that |
| // uses the metadata service to retrieve tokens. |
| func computeTokenProvider(earlyExpiry time.Duration, scope ...string) auth.TokenProvider { |
| return auth.NewCachedTokenProvider(computeProvider{scopes: scope}, &auth.CachedTokenProviderOptions{ |
| ExpireEarly: earlyExpiry, |
| }) |
| } |
| |
| // computeProvider fetches tokens from the google cloud metadata service. |
| type computeProvider struct { |
| scopes []string |
| } |
| |
| type metadataTokenResp struct { |
| AccessToken string `json:"access_token"` |
| ExpiresInSec int `json:"expires_in"` |
| TokenType string `json:"token_type"` |
| } |
| |
| func (cs computeProvider) Token(ctx context.Context) (*auth.Token, error) { |
| tokenURI, err := url.Parse(computeTokenURI) |
| if err != nil { |
| return nil, err |
| } |
| if len(cs.scopes) > 0 { |
| v := url.Values{} |
| v.Set("scopes", strings.Join(cs.scopes, ",")) |
| tokenURI.RawQuery = v.Encode() |
| } |
| tokenJSON, err := metadata.GetWithContext(ctx, tokenURI.String()) |
| if err != nil { |
| return nil, fmt.Errorf("credentials: cannot fetch token: %w", err) |
| } |
| var res metadataTokenResp |
| if err := json.NewDecoder(strings.NewReader(tokenJSON)).Decode(&res); err != nil { |
| return nil, fmt.Errorf("credentials: invalid token JSON from metadata: %w", err) |
| } |
| if res.ExpiresInSec == 0 || res.AccessToken == "" { |
| return nil, errors.New("credentials: incomplete token received from metadata") |
| } |
| return &auth.Token{ |
| Value: res.AccessToken, |
| Type: res.TokenType, |
| Expiry: time.Now().Add(time.Duration(res.ExpiresInSec) * time.Second), |
| Metadata: computeTokenMetadata, |
| }, nil |
| |
| } |