1 // Copyright 2023 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package downscope implements the ability to downscope, or restrict, the 16 // Identity and Access Management permissions that a short-lived Token 17 // can use. Please note that only Google Cloud Storage supports this feature. 18 // For complete documentation, see https://cloud.google.com/iam/docs/downscoping-short-lived-credentials 19 // 20 // To downscope permissions of a source credential, you need to define 21 // a Credential Access Boundary. Said Boundary specifies which resources 22 // the newly created credential can access, an upper bound on the permissions 23 // it has over those resources, and optionally attribute-based conditional 24 // access to the aforementioned resources. For more information on IAM 25 // Conditions, see https://cloud.google.com/iam/docs/conditions-overview. 26 // 27 // This functionality can be used to provide a third party with 28 // limited access to and permissions on resources held by the owner of the root 29 // credential or internally in conjunction with the principle of least privilege 30 // to ensure that internal services only hold the minimum necessary privileges 31 // for their function. 32 // 33 // For example, a token broker can be set up on a server in a private network. 34 // Various workloads (token consumers) in the same network will send 35 // authenticated requests to that broker for downscoped tokens to access or 36 // modify specific google cloud storage buckets. See the NewCredentials example 37 // for an example of how a token broker would use this package. 38 // 39 // The broker will use the functionality in this package to generate a 40 // downscoped token with the requested configuration, and then pass it back to 41 // the token consumer. These downscoped access tokens can then be used to access 42 // Google Cloud resources. 43 package downscope 44