// Copyright 2023 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package downscope_test import ( "context" "fmt" "cloud.google.com/go/auth/credentials" "cloud.google.com/go/auth/credentials/downscope" ) func ExampleNewCredentials() { // This shows how to generate a downscoped token. This code would be run on // the token broker, which holds the root token used to generate the // downscoped token. ctx := context.Background() // Initializes an accessBoundary with one Rule which restricts the // downscoped token to only be able to access the bucket "foo" and only // grants it the permission "storage.objectViewer". accessBoundary := []downscope.AccessBoundaryRule{ { AvailableResource: "//storage.googleapis.com/projects/_/buckets/foo", AvailablePermissions: []string{"inRole:roles/storage.objectViewer"}, }, } // This Source can be initialized in multiple ways; the following example uses // Application Default Credentials. baseProvider, err := credentials.DetectDefault(&credentials.DetectOptions{ Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"}, }) creds, err := downscope.NewCredentials(&downscope.Options{Credentials: baseProvider, Rules: accessBoundary}) if err != nil { fmt.Printf("failed to generate downscoped token provider: %v", err) return } tok, err := creds.Token(ctx) if err != nil { fmt.Printf("failed to generate token: %v", err) return } _ = tok // You can now pass tok to a token consumer however you wish, such as exposing // a REST API and sending it over HTTP. // You can instead use the token held in tp to make // Google Cloud Storage calls, as follows: // storageClient, err := storage.NewClient(ctx, option.WithTokenProvider(tp)) }