1 // Copyright 2024 Google LLC. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Code generated file. DO NOT EDIT. 6 7 // Package sts provides access to the Security Token Service API. 8 // 9 // For product documentation, see: http://cloud.google.com/iam/docs/workload-identity-federation 10 // 11 // # Library status 12 // 13 // These client libraries are officially supported by Google. However, this 14 // library is considered complete and is in maintenance mode. This means 15 // that we will address critical bugs and security issues but will not add 16 // any new features. 17 // 18 // When possible, we recommend using our newer 19 // [Cloud Client Libraries for Go](https://pkg.go.dev/cloud.google.com/go) 20 // that are still actively being worked and iterated on. 21 // 22 // # Creating a client 23 // 24 // Usage example: 25 // 26 // import "google.golang.org/api/sts/v1" 27 // ... 28 // ctx := context.Background() 29 // stsService, err := sts.NewService(ctx) 30 // 31 // In this example, Google Application Default Credentials are used for 32 // authentication. For information on how to create and obtain Application 33 // Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials. 34 // 35 // # Other authentication options 36 // 37 // To use an API key for authentication (note: some APIs do not support API 38 // keys), use [google.golang.org/api/option.WithAPIKey]: 39 // 40 // stsService, err := sts.NewService(ctx, option.WithAPIKey("AIza...")) 41 // 42 // To use an OAuth token (e.g., a user token obtained via a three-legged OAuth 43 // flow, use [google.golang.org/api/option.WithTokenSource]: 44 // 45 // config := &oauth2.Config{...} 46 // // ... 47 // token, err := config.Exchange(ctx, ...) 48 // stsService, err := sts.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token))) 49 // 50 // See [google.golang.org/api/option.ClientOption] for details on options. 51 package sts // import "google.golang.org/api/sts/v1" 52 53 import ( 54 "bytes" 55 "context" 56 "encoding/json" 57 "errors" 58 "fmt" 59 "io" 60 "net/http" 61 "net/url" 62 "strconv" 63 "strings" 64 65 googleapi "google.golang.org/api/googleapi" 66 internal "google.golang.org/api/internal" 67 gensupport "google.golang.org/api/internal/gensupport" 68 option "google.golang.org/api/option" 69 internaloption "google.golang.org/api/option/internaloption" 70 htransport "google.golang.org/api/transport/http" 71 ) 72 73 // Always reference these packages, just in case the auto-generated code 74 // below doesn't. 75 var _ = bytes.NewBuffer 76 var _ = strconv.Itoa 77 var _ = fmt.Sprintf 78 var _ = json.NewDecoder 79 var _ = io.Copy 80 var _ = url.Parse 81 var _ = gensupport.MarshalJSON 82 var _ = googleapi.Version 83 var _ = errors.New 84 var _ = strings.Replace 85 var _ = context.Canceled 86 var _ = internaloption.WithDefaultEndpoint 87 var _ = internal.Version 88 89 const apiId = "sts:v1" 90 const apiName = "sts" 91 const apiVersion = "v1" 92 const basePath = "https://sts.googleapis.com/" 93 const basePathTemplate = "https://sts.UNIVERSE_DOMAIN/" 94 const mtlsBasePath = "https://sts.mtls.googleapis.com/" 95 96 // NewService creates a new Service. 97 func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error) { 98 opts = append(opts, internaloption.WithDefaultEndpoint(basePath)) 99 opts = append(opts, internaloption.WithDefaultEndpointTemplate(basePathTemplate)) 100 opts = append(opts, internaloption.WithDefaultMTLSEndpoint(mtlsBasePath)) 101 opts = append(opts, internaloption.EnableNewAuthLibrary()) 102 client, endpoint, err := htransport.NewClient(ctx, opts...) 103 if err != nil { 104 return nil, err 105 } 106 s, err := New(client) 107 if err != nil { 108 return nil, err 109 } 110 if endpoint != "" { 111 s.BasePath = endpoint 112 } 113 return s, nil 114 } 115 116 // New creates a new Service. It uses the provided http.Client for requests. 117 // 118 // Deprecated: please use NewService instead. 119 // To provide a custom HTTP client, use option.WithHTTPClient. 120 // If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead. 121 func New(client *http.Client) (*Service, error) { 122 if client == nil { 123 return nil, errors.New("client is nil") 124 } 125 s := &Service{client: client, BasePath: basePath} 126 s.V1 = NewV1Service(s) 127 return s, nil 128 } 129 130 type Service struct { 131 client *http.Client 132 BasePath string // API endpoint base URL 133 UserAgent string // optional additional User-Agent fragment 134 135 V1 *V1Service 136 } 137 138 func (s *Service) userAgent() string { 139 if s.UserAgent == "" { 140 return googleapi.UserAgent 141 } 142 return googleapi.UserAgent + " " + s.UserAgent 143 } 144 145 func NewV1Service(s *Service) *V1Service { 146 rs := &V1Service{s: s} 147 return rs 148 } 149 150 type V1Service struct { 151 s *Service 152 } 153 154 // GoogleIamV1Binding: Associates `members`, or principals, with a `role`. 155 type GoogleIamV1Binding struct { 156 // Condition: The condition that is associated with this binding. If the 157 // condition evaluates to `true`, then this binding applies to the current 158 // request. If the condition evaluates to `false`, then this binding does not 159 // apply to the current request. However, a different role binding might grant 160 // the same role to one or more of the principals in this binding. To learn 161 // which resources support conditions in their IAM policies, see the IAM 162 // documentation 163 // (https://cloud.google.com/iam/help/conditions/resource-policies). 164 Condition *GoogleTypeExpr `json:"condition,omitempty"` 165 // Members: Specifies the principals requesting access for a Google Cloud 166 // resource. `members` can have the following values: * `allUsers`: A special 167 // identifier that represents anyone who is on the internet; with or without a 168 // Google account. * `allAuthenticatedUsers`: A special identifier that 169 // represents anyone who is authenticated with a Google account or a service 170 // account. Does not include identities that come from external identity 171 // providers (IdPs) through identity federation. * `user:{emailid}`: An email 172 // address that represents a specific Google account. For example, 173 // `alice@example.com` . * `serviceAccount:{emailid}`: An email address that 174 // represents a Google service account. For example, 175 // `my-other-app@appspot.gserviceaccount.com`. * 176 // `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An 177 // identifier for a Kubernetes service account 178 // (https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). 179 // For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * 180 // `group:{emailid}`: An email address that represents a Google group. For 181 // example, `admins@example.com`. * `domain:{domain}`: The G Suite domain 182 // (primary) that represents all the users of that domain. For example, 183 // `google.com` or `example.com`. * 184 // `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/sub 185 // ject/{subject_attribute_value}`: A single identity in a workforce identity 186 // pool. * 187 // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ 188 // group/{group_id}`: All workforce identities in a group. * 189 // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ 190 // attribute.{attribute_name}/{attribute_value}`: All workforce identities with 191 // a specific attribute value. * 192 // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ 193 // *`: All identities in a workforce identity pool. * 194 // `principal://iam.googleapis.com/projects/{project_number}/locations/global/wo 195 // rkloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: A single 196 // identity in a workload identity pool. * 197 // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global 198 // /workloadIdentityPools/{pool_id}/group/{group_id}`: A workload identity pool 199 // group. * 200 // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global 201 // /workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value} 202 // `: All identities in a workload identity pool with a certain attribute. * 203 // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global 204 // /workloadIdentityPools/{pool_id}/*`: All identities in a workload identity 205 // pool. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus 206 // unique identifier) representing a user that has been recently deleted. For 207 // example, `alice@example.com?uid=123456789012345678901`. If the user is 208 // recovered, this value reverts to `user:{emailid}` and the recovered user 209 // retains the role in the binding. * 210 // `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus 211 // unique identifier) representing a service account that has been recently 212 // deleted. For example, 213 // `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the 214 // service account is undeleted, this value reverts to 215 // `serviceAccount:{emailid}` and the undeleted service account retains the 216 // role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email 217 // address (plus unique identifier) representing a Google group that has been 218 // recently deleted. For example, 219 // `admins@example.com?uid=123456789012345678901`. If the group is recovered, 220 // this value reverts to `group:{emailid}` and the recovered group retains the 221 // role in the binding. * 222 // `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool 223 // _id}/subject/{subject_attribute_value}`: Deleted single identity in a 224 // workforce identity pool. For example, 225 // `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-po 226 // ol-id/subject/my-subject-attribute-value`. 227 Members []string `json:"members,omitempty"` 228 // Role: Role that is assigned to the list of `members`, or principals. For 229 // example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview 230 // of the IAM roles and permissions, see the IAM documentation 231 // (https://cloud.google.com/iam/docs/roles-overview). For a list of the 232 // available pre-defined roles, see here 233 // (https://cloud.google.com/iam/docs/understanding-roles). 234 Role string `json:"role,omitempty"` 235 // ForceSendFields is a list of field names (e.g. "Condition") to 236 // unconditionally include in API requests. By default, fields with empty or 237 // default values are omitted from API requests. See 238 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 239 // details. 240 ForceSendFields []string `json:"-"` 241 // NullFields is a list of field names (e.g. "Condition") to include in API 242 // requests with the JSON null value. By default, fields with empty values are 243 // omitted from API requests. See 244 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 245 NullFields []string `json:"-"` 246 } 247 248 func (s *GoogleIamV1Binding) MarshalJSON() ([]byte, error) { 249 type NoMethod GoogleIamV1Binding 250 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 251 } 252 253 // GoogleIdentityStsV1AccessBoundary: An access boundary defines the upper 254 // bound of what a principal may access. It includes a list of access boundary 255 // rules that each defines the resource that may be allowed as well as 256 // permissions that may be used on those resources. 257 type GoogleIdentityStsV1AccessBoundary struct { 258 // AccessBoundaryRules: A list of access boundary rules which defines the upper 259 // bound of the permission a principal may carry. If multiple rules are 260 // specified, the effective access boundary is the union of all the access 261 // boundary rules attached. One access boundary can contain at most 10 rules. 262 AccessBoundaryRules []*GoogleIdentityStsV1AccessBoundaryRule `json:"accessBoundaryRules,omitempty"` 263 // ForceSendFields is a list of field names (e.g. "AccessBoundaryRules") to 264 // unconditionally include in API requests. By default, fields with empty or 265 // default values are omitted from API requests. See 266 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 267 // details. 268 ForceSendFields []string `json:"-"` 269 // NullFields is a list of field names (e.g. "AccessBoundaryRules") to include 270 // in API requests with the JSON null value. By default, fields with empty 271 // values are omitted from API requests. See 272 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 273 NullFields []string `json:"-"` 274 } 275 276 func (s *GoogleIdentityStsV1AccessBoundary) MarshalJSON() ([]byte, error) { 277 type NoMethod GoogleIdentityStsV1AccessBoundary 278 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 279 } 280 281 // GoogleIdentityStsV1AccessBoundaryRule: An access boundary rule defines an 282 // upper bound of IAM permissions on a single resource. 283 type GoogleIdentityStsV1AccessBoundaryRule struct { 284 // AvailabilityCondition: The availability condition further constrains the 285 // access allowed by the access boundary rule. If the condition evaluates to 286 // `true`, then this access boundary rule will provide access to the specified 287 // resource, assuming the principal has the required permissions for the 288 // resource. If the condition does not evaluate to `true`, then access to the 289 // specified resource will not be available. Note that all access boundary 290 // rules in an access boundary are evaluated together as a union. As such, 291 // another access boundary rule may allow access to the resource, even if this 292 // access boundary rule does not allow access. To learn which resources support 293 // conditions in their IAM policies, see the IAM documentation 294 // (https://cloud.google.com/iam/help/conditions/resource-policies). The 295 // maximum length of the `expression` field is 2048 characters. 296 AvailabilityCondition *GoogleTypeExpr `json:"availabilityCondition,omitempty"` 297 // AvailablePermissions: A list of permissions that may be allowed for use on 298 // the specified resource. The only supported values in the list are IAM roles, 299 // following the format of google.iam.v1.Binding.role. Example value: 300 // `inRole:roles/logging.viewer` for predefined roles and 301 // `inRole:organizations/{ORGANIZATION_ID}/roles/logging.viewer` for custom 302 // roles. 303 AvailablePermissions []string `json:"availablePermissions,omitempty"` 304 // AvailableResource: The full resource name of a Google Cloud resource entity. 305 // The format definition is at 306 // https://cloud.google.com/apis/design/resource_names. Example value: 307 // `//cloudresourcemanager.googleapis.com/projects/my-project`. 308 AvailableResource string `json:"availableResource,omitempty"` 309 // ForceSendFields is a list of field names (e.g. "AvailabilityCondition") to 310 // unconditionally include in API requests. By default, fields with empty or 311 // default values are omitted from API requests. See 312 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 313 // details. 314 ForceSendFields []string `json:"-"` 315 // NullFields is a list of field names (e.g. "AvailabilityCondition") to 316 // include in API requests with the JSON null value. By default, fields with 317 // empty values are omitted from API requests. See 318 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 319 NullFields []string `json:"-"` 320 } 321 322 func (s *GoogleIdentityStsV1AccessBoundaryRule) MarshalJSON() ([]byte, error) { 323 type NoMethod GoogleIdentityStsV1AccessBoundaryRule 324 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 325 } 326 327 // GoogleIdentityStsV1ExchangeTokenRequest: Request message for ExchangeToken. 328 type GoogleIdentityStsV1ExchangeTokenRequest struct { 329 // Audience: The full resource name of the identity provider; for example: 330 // `//iam.googleapis.com/projects//locations/global/workloadIdentityPools//provi 331 // ders/` for workload identity pool providers, or 332 // `//iam.googleapis.com/locations/global/workforcePools//providers/` for 333 // workforce pool providers. Required when exchanging an external credential 334 // for a Google access token. 335 Audience string `json:"audience,omitempty"` 336 // GrantType: Required. The grant type. Must be 337 // `urn:ietf:params:oauth:grant-type:token-exchange`, which indicates a token 338 // exchange. 339 GrantType string `json:"grantType,omitempty"` 340 // Options: A set of features that Security Token Service supports, in addition 341 // to the standard OAuth 2.0 token exchange, formatted as a serialized JSON 342 // object of Options. The size of the parameter value must not exceed 4096 343 // characters. 344 Options string `json:"options,omitempty"` 345 // RequestedTokenType: Required. An identifier for the type of requested 346 // security token. Can be `urn:ietf:params:oauth:token-type:access_token` or 347 // `urn:ietf:params:oauth:token-type:access_boundary_intermediate_token`. 348 RequestedTokenType string `json:"requestedTokenType,omitempty"` 349 // Scope: The OAuth 2.0 scopes to include on the resulting access token, 350 // formatted as a list of space-delimited, case-sensitive strings. Required 351 // when exchanging an external credential for a Google access token. 352 Scope string `json:"scope,omitempty"` 353 // SubjectToken: Required. The input token. This token is either an external 354 // credential issued by a workload identity pool provider, or a short-lived 355 // access token issued by Google. If the token is an OIDC JWT, it must use the 356 // JWT format defined in RFC 7523 (https://tools.ietf.org/html/rfc7523), and 357 // the `subject_token_type` must be either 358 // `urn:ietf:params:oauth:token-type:jwt` or 359 // `urn:ietf:params:oauth:token-type:id_token`. The following headers are 360 // required: - `kid`: The identifier of the signing key securing the JWT. - 361 // `alg`: The cryptographic algorithm securing the JWT. Must be `RS256` or 362 // `ES256`. The following payload fields are required. For more information, 363 // see RFC 7523, Section 3 (https://tools.ietf.org/html/rfc7523#section-3): - 364 // `iss`: The issuer of the token. The issuer must provide a discovery document 365 // at the URL `/.well-known/openid-configuration`, where `` is the value of 366 // this field. The document must be formatted according to section 4.2 of the 367 // OIDC 1.0 Discovery specification 368 // (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). 369 // - `iat`: The issue time, in seconds, since the Unix epoch. Must be in the 370 // past. - `exp`: The expiration time, in seconds, since the Unix epoch. Must 371 // be less than 48 hours after `iat`. Shorter expiration times are more secure. 372 // If possible, we recommend setting an expiration time less than 6 hours. - 373 // `sub`: The identity asserted in the JWT. - `aud`: For workload identity 374 // pools, this must be a value specified in the allowed audiences for the 375 // workload identity pool provider, or one of the audiences allowed by default 376 // if no audiences were specified. See 377 // https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers#oidc. 378 // For workforce pools, this must match the client ID specified in the provider 379 // configuration. See 380 // https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools.providers#oidc. 381 // Example header: ``` { "alg": "RS256", "kid": "us-east-11" } ``` Example 382 // payload: ``` { "iss": "https://accounts.google.com", "iat": 1517963104, 383 // "exp": 1517966704, "aud": 384 // "//iam.googleapis.com/projects/1234567890123/locations/global/workloadIdentit 385 // yPools/my-pool/providers/my-provider", "sub": "113475438248934895348", 386 // "my_claims": { "additional_claim": "value" } } ``` If `subject_token` is for 387 // AWS, it must be a serialized `GetCallerIdentity` token. This token contains 388 // the same information as a request to the AWS `GetCallerIdentity()` 389 // (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity) 390 // method, as well as the AWS signature 391 // (https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) 392 // for the request information. Use Signature Version 4. Format the request as 393 // URL-encoded JSON, and set the `subject_token_type` parameter to 394 // `urn:ietf:params:aws:token-type:aws4_request`. The following parameters are 395 // required: - `url`: The URL of the AWS STS endpoint for 396 // `GetCallerIdentity()`, such as 397 // `https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15`. 398 // Regional endpoints are also supported. - `method`: The HTTP request method: 399 // `POST`. - `headers`: The HTTP request headers, which must include: - 400 // `Authorization`: The request signature. - `x-amz-date`: The time you will 401 // send the request, formatted as an ISO8601 Basic 402 // (https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#sigv4_elements_date) 403 // string. This value is typically set to the current time and is used to help 404 // prevent replay attacks. - `host`: The hostname of the `url` field; for 405 // example, `sts.amazonaws.com`. - `x-goog-cloud-target-resource`: The full, 406 // canonical resource name of the workload identity pool provider, with or 407 // without an `https:` prefix. To help ensure data integrity, we recommend 408 // including this header in the `SignedHeaders` field of the signed request. 409 // For example: 410 // //iam.googleapis.com/projects//locations/global/workloadIdentityPools//provid 411 // ers/ 412 // https://iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/ 413 // If you are using temporary security credentials provided by AWS, you must 414 // also include the header `x-amz-security-token`, with the value set to the 415 // session token. The following example shows a `GetCallerIdentity` token: ``` 416 // { "headers": [ {"key": "x-amz-date", "value": "20200815T015049Z"}, {"key": 417 // "Authorization", "value": 418 // "AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-date;x-goo 419 // g-cloud-target-resource,+Signature=$signature"}, {"key": 420 // "x-goog-cloud-target-resource", "value": 421 // "//iam.googleapis.com/projects//locations/global/workloadIdentityPools//provi 422 // ders/"}, {"key": "host", "value": "sts.amazonaws.com"} . ], "method": 423 // "POST", "url": 424 // "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" } 425 // ``` If the token is a SAML 2.0 assertion, it must use the format defined in 426 // the SAML 2.0 spec 427 // (https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.pdf), 428 // and the `subject_token_type` must be 429 // `urn:ietf:params:oauth:token-type:saml2`. See Verification of external 430 // credentials 431 // (https://cloud.google.com/iam/docs/using-workload-identity-federation#verification_of_external_credentials) 432 // for details on how SAML 2.0 assertions are validated during token exchanges. 433 // You can also use a Google-issued OAuth 2.0 access token with this field to 434 // obtain an access token with new security attributes applied, such as a 435 // Credential Access Boundary. In this case, set `subject_token_type` to 436 // `urn:ietf:params:oauth:token-type:access_token`. If an access token already 437 // contains security attributes, you cannot apply additional security 438 // attributes. 439 SubjectToken string `json:"subjectToken,omitempty"` 440 // SubjectTokenType: Required. An identifier that indicates the type of the 441 // security token in the `subject_token` parameter. Supported values are 442 // `urn:ietf:params:oauth:token-type:jwt`, 443 // `urn:ietf:params:oauth:token-type:id_token`, 444 // `urn:ietf:params:aws:token-type:aws4_request`, 445 // `urn:ietf:params:oauth:token-type:access_token`, and 446 // `urn:ietf:params:oauth:token-type:saml2`. 447 SubjectTokenType string `json:"subjectTokenType,omitempty"` 448 // ForceSendFields is a list of field names (e.g. "Audience") to 449 // unconditionally include in API requests. By default, fields with empty or 450 // default values are omitted from API requests. See 451 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 452 // details. 453 ForceSendFields []string `json:"-"` 454 // NullFields is a list of field names (e.g. "Audience") to include in API 455 // requests with the JSON null value. By default, fields with empty values are 456 // omitted from API requests. See 457 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 458 NullFields []string `json:"-"` 459 } 460 461 func (s *GoogleIdentityStsV1ExchangeTokenRequest) MarshalJSON() ([]byte, error) { 462 type NoMethod GoogleIdentityStsV1ExchangeTokenRequest 463 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 464 } 465 466 // GoogleIdentityStsV1ExchangeTokenResponse: Response message for 467 // ExchangeToken. 468 type GoogleIdentityStsV1ExchangeTokenResponse struct { 469 // AccessToken: An OAuth 2.0 security token, issued by Google, in response to 470 // the token exchange request. Tokens can vary in size, depending in part on 471 // the size of mapped claims, up to a maximum of 12288 bytes (12 KB). Google 472 // reserves the right to change the token size and the maximum length at any 473 // time. 474 AccessToken string `json:"access_token,omitempty"` 475 // ExpiresIn: The amount of time, in seconds, between the time when the access 476 // token was issued and the time when the access token will expire. This field 477 // is absent when the `subject_token` in the request is a Google-issued, 478 // short-lived access token. In this case, the access token has the same 479 // expiration time as the `subject_token`. 480 ExpiresIn int64 `json:"expires_in,omitempty"` 481 // IssuedTokenType: The token type. Always matches the value of 482 // `requested_token_type` from the request. 483 IssuedTokenType string `json:"issued_token_type,omitempty"` 484 // TokenType: The type of access token. Always has the value `Bearer`. 485 TokenType string `json:"token_type,omitempty"` 486 487 // ServerResponse contains the HTTP response code and headers from the server. 488 googleapi.ServerResponse `json:"-"` 489 // ForceSendFields is a list of field names (e.g. "AccessToken") to 490 // unconditionally include in API requests. By default, fields with empty or 491 // default values are omitted from API requests. See 492 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 493 // details. 494 ForceSendFields []string `json:"-"` 495 // NullFields is a list of field names (e.g. "AccessToken") to include in API 496 // requests with the JSON null value. By default, fields with empty values are 497 // omitted from API requests. See 498 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 499 NullFields []string `json:"-"` 500 } 501 502 func (s *GoogleIdentityStsV1ExchangeTokenResponse) MarshalJSON() ([]byte, error) { 503 type NoMethod GoogleIdentityStsV1ExchangeTokenResponse 504 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 505 } 506 507 // GoogleIdentityStsV1Options: An `Options` object configures features that the 508 // Security Token Service supports, but that are not supported by standard 509 // OAuth 2.0 token exchange endpoints, as defined in 510 // https://tools.ietf.org/html/rfc8693. 511 type GoogleIdentityStsV1Options struct { 512 // AccessBoundary: An access boundary that defines the upper bound of 513 // permissions the credential may have. The value should be a JSON object of 514 // AccessBoundary. The access boundary can include up to 10 rules. The size of 515 // the parameter value should not exceed 2048 characters. 516 AccessBoundary *GoogleIdentityStsV1AccessBoundary `json:"accessBoundary,omitempty"` 517 // UserProject: A Google project used for quota and billing purposes when the 518 // credential is used to access Google APIs. The provided project overrides the 519 // project bound to the credential. The value must be a project number or a 520 // project ID. Example: `my-sample-project-191923`. The maximum length is 32 521 // characters. 522 UserProject string `json:"userProject,omitempty"` 523 // ForceSendFields is a list of field names (e.g. "AccessBoundary") to 524 // unconditionally include in API requests. By default, fields with empty or 525 // default values are omitted from API requests. See 526 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 527 // details. 528 ForceSendFields []string `json:"-"` 529 // NullFields is a list of field names (e.g. "AccessBoundary") to include in 530 // API requests with the JSON null value. By default, fields with empty values 531 // are omitted from API requests. See 532 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 533 NullFields []string `json:"-"` 534 } 535 536 func (s *GoogleIdentityStsV1Options) MarshalJSON() ([]byte, error) { 537 type NoMethod GoogleIdentityStsV1Options 538 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 539 } 540 541 // GoogleIdentityStsV1betaAccessBoundary: An access boundary defines the upper 542 // bound of what a principal may access. It includes a list of access boundary 543 // rules that each defines the resource that may be allowed as well as 544 // permissions that may be used on those resources. 545 type GoogleIdentityStsV1betaAccessBoundary struct { 546 // AccessBoundaryRules: A list of access boundary rules which defines the upper 547 // bound of the permission a principal may carry. If multiple rules are 548 // specified, the effective access boundary is the union of all the access 549 // boundary rules attached. One access boundary can contain at most 10 rules. 550 AccessBoundaryRules []*GoogleIdentityStsV1betaAccessBoundaryRule `json:"accessBoundaryRules,omitempty"` 551 // ForceSendFields is a list of field names (e.g. "AccessBoundaryRules") to 552 // unconditionally include in API requests. By default, fields with empty or 553 // default values are omitted from API requests. See 554 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 555 // details. 556 ForceSendFields []string `json:"-"` 557 // NullFields is a list of field names (e.g. "AccessBoundaryRules") to include 558 // in API requests with the JSON null value. By default, fields with empty 559 // values are omitted from API requests. See 560 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 561 NullFields []string `json:"-"` 562 } 563 564 func (s *GoogleIdentityStsV1betaAccessBoundary) MarshalJSON() ([]byte, error) { 565 type NoMethod GoogleIdentityStsV1betaAccessBoundary 566 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 567 } 568 569 // GoogleIdentityStsV1betaAccessBoundaryRule: An access boundary rule defines 570 // an upper bound of IAM permissions on a single resource. 571 type GoogleIdentityStsV1betaAccessBoundaryRule struct { 572 // AvailabilityCondition: The availability condition further constrains the 573 // access allowed by the access boundary rule. If the condition evaluates to 574 // `true`, then this access boundary rule will provide access to the specified 575 // resource, assuming the principal has the required permissions for the 576 // resource. If the condition does not evaluate to `true`, then access to the 577 // specified resource will not be available. Note that all access boundary 578 // rules in an access boundary are evaluated together as a union. As such, 579 // another access boundary rule may allow access to the resource, even if this 580 // access boundary rule does not allow access. To learn which resources support 581 // conditions in their IAM policies, see the IAM documentation 582 // (https://cloud.google.com/iam/help/conditions/resource-policies). The 583 // maximum length of the `expression` field is 2048 characters. 584 AvailabilityCondition *GoogleTypeExpr `json:"availabilityCondition,omitempty"` 585 // AvailablePermissions: A list of permissions that may be allowed for use on 586 // the specified resource. The only supported values in the list are IAM roles, 587 // following the format of google.iam.v1.Binding.role. Example value: 588 // `inRole:roles/logging.viewer` for predefined roles and 589 // `inRole:organizations/{ORGANIZATION_ID}/roles/logging.viewer` for custom 590 // roles. 591 AvailablePermissions []string `json:"availablePermissions,omitempty"` 592 // AvailableResource: The full resource name of a Google Cloud resource entity. 593 // The format definition is at 594 // https://cloud.google.com/apis/design/resource_names. Example value: 595 // `//cloudresourcemanager.googleapis.com/projects/my-project`. 596 AvailableResource string `json:"availableResource,omitempty"` 597 // ForceSendFields is a list of field names (e.g. "AvailabilityCondition") to 598 // unconditionally include in API requests. By default, fields with empty or 599 // default values are omitted from API requests. See 600 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 601 // details. 602 ForceSendFields []string `json:"-"` 603 // NullFields is a list of field names (e.g. "AvailabilityCondition") to 604 // include in API requests with the JSON null value. By default, fields with 605 // empty values are omitted from API requests. See 606 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 607 NullFields []string `json:"-"` 608 } 609 610 func (s *GoogleIdentityStsV1betaAccessBoundaryRule) MarshalJSON() ([]byte, error) { 611 type NoMethod GoogleIdentityStsV1betaAccessBoundaryRule 612 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 613 } 614 615 // GoogleIdentityStsV1betaOptions: An `Options` object configures features that 616 // the Security Token Service supports, but that are not supported by standard 617 // OAuth 2.0 token exchange endpoints, as defined in 618 // https://tools.ietf.org/html/rfc8693. 619 type GoogleIdentityStsV1betaOptions struct { 620 // AccessBoundary: An access boundary that defines the upper bound of 621 // permissions the credential may have. The value should be a JSON object of 622 // AccessBoundary. The access boundary can include up to 10 rules. The size of 623 // the parameter value should not exceed 2048 characters. 624 AccessBoundary *GoogleIdentityStsV1betaAccessBoundary `json:"accessBoundary,omitempty"` 625 // UserProject: A Google project used for quota and billing purposes when the 626 // credential is used to access Google APIs. The provided project overrides the 627 // project bound to the credential. The value must be a project number or a 628 // project ID. Example: `my-sample-project-191923`. The maximum length is 32 629 // characters. 630 UserProject string `json:"userProject,omitempty"` 631 // ForceSendFields is a list of field names (e.g. "AccessBoundary") to 632 // unconditionally include in API requests. By default, fields with empty or 633 // default values are omitted from API requests. See 634 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 635 // details. 636 ForceSendFields []string `json:"-"` 637 // NullFields is a list of field names (e.g. "AccessBoundary") to include in 638 // API requests with the JSON null value. By default, fields with empty values 639 // are omitted from API requests. See 640 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 641 NullFields []string `json:"-"` 642 } 643 644 func (s *GoogleIdentityStsV1betaOptions) MarshalJSON() ([]byte, error) { 645 type NoMethod GoogleIdentityStsV1betaOptions 646 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 647 } 648 649 // GoogleTypeExpr: Represents a textual expression in the Common Expression 650 // Language (CEL) syntax. CEL is a C-like expression language. The syntax and 651 // semantics of CEL are documented at https://github.com/google/cel-spec. 652 // Example (Comparison): title: "Summary size limit" description: "Determines 653 // if a summary is less than 100 chars" expression: "document.summary.size() < 654 // 100" Example (Equality): title: "Requestor is owner" description: 655 // "Determines if requestor is the document owner" expression: "document.owner 656 // == request.auth.claims.email" Example (Logic): title: "Public documents" 657 // description: "Determine whether the document should be publicly visible" 658 // expression: "document.type != 'private' && document.type != 'internal'" 659 // Example (Data Manipulation): title: "Notification string" description: 660 // "Create a notification string with a timestamp." expression: "'New message 661 // received at ' + string(document.create_time)" The exact variables and 662 // functions that may be referenced within an expression are determined by the 663 // service that evaluates it. See the service documentation for additional 664 // information. 665 type GoogleTypeExpr struct { 666 // Description: Optional. Description of the expression. This is a longer text 667 // which describes the expression, e.g. when hovered over it in a UI. 668 Description string `json:"description,omitempty"` 669 // Expression: Textual representation of an expression in Common Expression 670 // Language syntax. 671 Expression string `json:"expression,omitempty"` 672 // Location: Optional. String indicating the location of the expression for 673 // error reporting, e.g. a file name and a position in the file. 674 Location string `json:"location,omitempty"` 675 // Title: Optional. Title for the expression, i.e. a short string describing 676 // its purpose. This can be used e.g. in UIs which allow to enter the 677 // expression. 678 Title string `json:"title,omitempty"` 679 // ForceSendFields is a list of field names (e.g. "Description") to 680 // unconditionally include in API requests. By default, fields with empty or 681 // default values are omitted from API requests. See 682 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 683 // details. 684 ForceSendFields []string `json:"-"` 685 // NullFields is a list of field names (e.g. "Description") to include in API 686 // requests with the JSON null value. By default, fields with empty values are 687 // omitted from API requests. See 688 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 689 NullFields []string `json:"-"` 690 } 691 692 func (s *GoogleTypeExpr) MarshalJSON() ([]byte, error) { 693 type NoMethod GoogleTypeExpr 694 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 695 } 696 697 type V1TokenCall struct { 698 s *Service 699 googleidentitystsv1exchangetokenrequest *GoogleIdentityStsV1ExchangeTokenRequest 700 urlParams_ gensupport.URLParams 701 ctx_ context.Context 702 header_ http.Header 703 } 704 705 // Token: Exchanges a credential for a Google OAuth 2.0 access token. The token 706 // asserts an external identity within an identity pool, or it applies a 707 // Credential Access Boundary to a Google access token. Note that workforce 708 // pools do not support Credential Access Boundaries. When you call this 709 // method, do not send the `Authorization` HTTP header in the request. This 710 // method does not require the `Authorization` header, and using the header can 711 // cause the request to fail. 712 func (r *V1Service) Token(googleidentitystsv1exchangetokenrequest *GoogleIdentityStsV1ExchangeTokenRequest) *V1TokenCall { 713 c := &V1TokenCall{s: r.s, urlParams_: make(gensupport.URLParams)} 714 c.googleidentitystsv1exchangetokenrequest = googleidentitystsv1exchangetokenrequest 715 return c 716 } 717 718 // Fields allows partial responses to be retrieved. See 719 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 720 // details. 721 func (c *V1TokenCall) Fields(s ...googleapi.Field) *V1TokenCall { 722 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 723 return c 724 } 725 726 // Context sets the context to be used in this call's Do method. 727 func (c *V1TokenCall) Context(ctx context.Context) *V1TokenCall { 728 c.ctx_ = ctx 729 return c 730 } 731 732 // Header returns a http.Header that can be modified by the caller to add 733 // headers to the request. 734 func (c *V1TokenCall) Header() http.Header { 735 if c.header_ == nil { 736 c.header_ = make(http.Header) 737 } 738 return c.header_ 739 } 740 741 func (c *V1TokenCall) doRequest(alt string) (*http.Response, error) { 742 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 743 var body io.Reader = nil 744 body, err := googleapi.WithoutDataWrapper.JSONReader(c.googleidentitystsv1exchangetokenrequest) 745 if err != nil { 746 return nil, err 747 } 748 c.urlParams_.Set("alt", alt) 749 c.urlParams_.Set("prettyPrint", "false") 750 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/token") 751 urls += "?" + c.urlParams_.Encode() 752 req, err := http.NewRequest("POST", urls, body) 753 if err != nil { 754 return nil, err 755 } 756 req.Header = reqHeaders 757 return gensupport.SendRequest(c.ctx_, c.s.client, req) 758 } 759 760 // Do executes the "sts.token" call. 761 // Any non-2xx status code is an error. Response headers are in either 762 // *GoogleIdentityStsV1ExchangeTokenResponse.ServerResponse.Header or (if a 763 // response was returned at all) in error.(*googleapi.Error).Header. Use 764 // googleapi.IsNotModified to check whether the returned error was because 765 // http.StatusNotModified was returned. 766 func (c *V1TokenCall) Do(opts ...googleapi.CallOption) (*GoogleIdentityStsV1ExchangeTokenResponse, error) { 767 gensupport.SetOptions(c.urlParams_, opts...) 768 res, err := c.doRequest("json") 769 if res != nil && res.StatusCode == http.StatusNotModified { 770 if res.Body != nil { 771 res.Body.Close() 772 } 773 return nil, gensupport.WrapError(&googleapi.Error{ 774 Code: res.StatusCode, 775 Header: res.Header, 776 }) 777 } 778 if err != nil { 779 return nil, err 780 } 781 defer googleapi.CloseBody(res) 782 if err := googleapi.CheckResponse(res); err != nil { 783 return nil, gensupport.WrapError(err) 784 } 785 ret := &GoogleIdentityStsV1ExchangeTokenResponse{ 786 ServerResponse: googleapi.ServerResponse{ 787 Header: res.Header, 788 HTTPStatusCode: res.StatusCode, 789 }, 790 } 791 target := &ret 792 if err := gensupport.DecodeResponse(target, res); err != nil { 793 return nil, err 794 } 795 return ret, nil 796 } 797