...

Source file src/cloud.google.com/go/auth/credentials/impersonate/doc.go

Documentation: cloud.google.com/go/auth/credentials/impersonate 

     1  // Copyright 2023 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package impersonate is used to impersonate Google Credentials. If you need
    16  // to impersonate some credentials to use with a client library see
    17  // [NewCredentials]. If instead you would like to create an Open
    18  // Connect ID token using impersonation see [NewIDTokenCredentials].
    19  //
    20  // # Required IAM roles
    21  //
    22  // In order to impersonate a service account the base service account must have
    23  // the Service Account Token Creator role, roles/iam.serviceAccountTokenCreator,
    24  // on the service account being impersonated. See
    25  // https://cloud.google.com/iam/docs/understanding-service-accounts.
    26  //
    27  // Optionally, delegates can be used during impersonation if the base service
    28  // account lacks the token creator role on the target. When using delegates,
    29  // each service account must be granted roles/iam.serviceAccountTokenCreator
    30  // on the next service account in the delgation chain.
    31  //
    32  // For example, if a base service account of SA1 is trying to impersonate target
    33  // service account SA2 while using delegate service accounts DSA1 and DSA2,
    34  // the following must be true:
    35  //
    36  //  1. Base service account SA1 has roles/iam.serviceAccountTokenCreator on
    37  //     DSA1.
    38  //  2. DSA1 has roles/iam.serviceAccountTokenCreator on DSA2.
    39  //  3. DSA2 has roles/iam.serviceAccountTokenCreator on target SA2.
    40  //
    41  // If the base credential is an authorized user and not a service account, or if
    42  // the option WithQuotaProject is set, the target service account must have a
    43  // role that grants the serviceusage.services.use permission such as
    44  // roles/serviceusage.serviceUsageConsumer.
    45  package impersonate
    46  

View as plain text