1 // Copyright 2024 Google LLC. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Code generated file. DO NOT EDIT. 6 7 // Package sts provides access to the Security Token Service API. 8 // 9 // For product documentation, see: http://cloud.google.com/iam/docs/workload-identity-federation 10 // 11 // # Library status 12 // 13 // These client libraries are officially supported by Google. However, this 14 // library is considered complete and is in maintenance mode. This means 15 // that we will address critical bugs and security issues but will not add 16 // any new features. 17 // 18 // When possible, we recommend using our newer 19 // [Cloud Client Libraries for Go](https://pkg.go.dev/cloud.google.com/go) 20 // that are still actively being worked and iterated on. 21 // 22 // # Creating a client 23 // 24 // Usage example: 25 // 26 // import "google.golang.org/api/sts/v1beta" 27 // ... 28 // ctx := context.Background() 29 // stsService, err := sts.NewService(ctx) 30 // 31 // In this example, Google Application Default Credentials are used for 32 // authentication. For information on how to create and obtain Application 33 // Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials. 34 // 35 // # Other authentication options 36 // 37 // To use an API key for authentication (note: some APIs do not support API 38 // keys), use [google.golang.org/api/option.WithAPIKey]: 39 // 40 // stsService, err := sts.NewService(ctx, option.WithAPIKey("AIza...")) 41 // 42 // To use an OAuth token (e.g., a user token obtained via a three-legged OAuth 43 // flow, use [google.golang.org/api/option.WithTokenSource]: 44 // 45 // config := &oauth2.Config{...} 46 // // ... 47 // token, err := config.Exchange(ctx, ...) 48 // stsService, err := sts.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token))) 49 // 50 // See [google.golang.org/api/option.ClientOption] for details on options. 51 package sts // import "google.golang.org/api/sts/v1beta" 52 53 import ( 54 "bytes" 55 "context" 56 "encoding/json" 57 "errors" 58 "fmt" 59 "io" 60 "net/http" 61 "net/url" 62 "strconv" 63 "strings" 64 65 googleapi "google.golang.org/api/googleapi" 66 internal "google.golang.org/api/internal" 67 gensupport "google.golang.org/api/internal/gensupport" 68 option "google.golang.org/api/option" 69 internaloption "google.golang.org/api/option/internaloption" 70 htransport "google.golang.org/api/transport/http" 71 ) 72 73 // Always reference these packages, just in case the auto-generated code 74 // below doesn't. 75 var _ = bytes.NewBuffer 76 var _ = strconv.Itoa 77 var _ = fmt.Sprintf 78 var _ = json.NewDecoder 79 var _ = io.Copy 80 var _ = url.Parse 81 var _ = gensupport.MarshalJSON 82 var _ = googleapi.Version 83 var _ = errors.New 84 var _ = strings.Replace 85 var _ = context.Canceled 86 var _ = internaloption.WithDefaultEndpoint 87 var _ = internal.Version 88 89 const apiId = "sts:v1beta" 90 const apiName = "sts" 91 const apiVersion = "v1beta" 92 const basePath = "https://sts.googleapis.com/" 93 const basePathTemplate = "https://sts.UNIVERSE_DOMAIN/" 94 const mtlsBasePath = "https://sts.mtls.googleapis.com/" 95 96 // NewService creates a new Service. 97 func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error) { 98 opts = append(opts, internaloption.WithDefaultEndpoint(basePath)) 99 opts = append(opts, internaloption.WithDefaultEndpointTemplate(basePathTemplate)) 100 opts = append(opts, internaloption.WithDefaultMTLSEndpoint(mtlsBasePath)) 101 opts = append(opts, internaloption.EnableNewAuthLibrary()) 102 client, endpoint, err := htransport.NewClient(ctx, opts...) 103 if err != nil { 104 return nil, err 105 } 106 s, err := New(client) 107 if err != nil { 108 return nil, err 109 } 110 if endpoint != "" { 111 s.BasePath = endpoint 112 } 113 return s, nil 114 } 115 116 // New creates a new Service. It uses the provided http.Client for requests. 117 // 118 // Deprecated: please use NewService instead. 119 // To provide a custom HTTP client, use option.WithHTTPClient. 120 // If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead. 121 func New(client *http.Client) (*Service, error) { 122 if client == nil { 123 return nil, errors.New("client is nil") 124 } 125 s := &Service{client: client, BasePath: basePath} 126 s.V1beta = NewV1betaService(s) 127 return s, nil 128 } 129 130 type Service struct { 131 client *http.Client 132 BasePath string // API endpoint base URL 133 UserAgent string // optional additional User-Agent fragment 134 135 V1beta *V1betaService 136 } 137 138 func (s *Service) userAgent() string { 139 if s.UserAgent == "" { 140 return googleapi.UserAgent 141 } 142 return googleapi.UserAgent + " " + s.UserAgent 143 } 144 145 func NewV1betaService(s *Service) *V1betaService { 146 rs := &V1betaService{s: s} 147 return rs 148 } 149 150 type V1betaService struct { 151 s *Service 152 } 153 154 // GoogleIamV1Binding: Associates `members`, or principals, with a `role`. 155 type GoogleIamV1Binding struct { 156 // Condition: The condition that is associated with this binding. If the 157 // condition evaluates to `true`, then this binding applies to the current 158 // request. If the condition evaluates to `false`, then this binding does not 159 // apply to the current request. However, a different role binding might grant 160 // the same role to one or more of the principals in this binding. To learn 161 // which resources support conditions in their IAM policies, see the IAM 162 // documentation 163 // (https://cloud.google.com/iam/help/conditions/resource-policies). 164 Condition *GoogleTypeExpr `json:"condition,omitempty"` 165 // Members: Specifies the principals requesting access for a Google Cloud 166 // resource. `members` can have the following values: * `allUsers`: A special 167 // identifier that represents anyone who is on the internet; with or without a 168 // Google account. * `allAuthenticatedUsers`: A special identifier that 169 // represents anyone who is authenticated with a Google account or a service 170 // account. Does not include identities that come from external identity 171 // providers (IdPs) through identity federation. * `user:{emailid}`: An email 172 // address that represents a specific Google account. For example, 173 // `alice@example.com` . * `serviceAccount:{emailid}`: An email address that 174 // represents a Google service account. For example, 175 // `my-other-app@appspot.gserviceaccount.com`. * 176 // `serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]`: An 177 // identifier for a Kubernetes service account 178 // (https://cloud.google.com/kubernetes-engine/docs/how-to/kubernetes-service-accounts). 179 // For example, `my-project.svc.id.goog[my-namespace/my-kubernetes-sa]`. * 180 // `group:{emailid}`: An email address that represents a Google group. For 181 // example, `admins@example.com`. * `domain:{domain}`: The G Suite domain 182 // (primary) that represents all the users of that domain. For example, 183 // `google.com` or `example.com`. * 184 // `principal://iam.googleapis.com/locations/global/workforcePools/{pool_id}/sub 185 // ject/{subject_attribute_value}`: A single identity in a workforce identity 186 // pool. * 187 // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ 188 // group/{group_id}`: All workforce identities in a group. * 189 // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ 190 // attribute.{attribute_name}/{attribute_value}`: All workforce identities with 191 // a specific attribute value. * 192 // `principalSet://iam.googleapis.com/locations/global/workforcePools/{pool_id}/ 193 // *`: All identities in a workforce identity pool. * 194 // `principal://iam.googleapis.com/projects/{project_number}/locations/global/wo 195 // rkloadIdentityPools/{pool_id}/subject/{subject_attribute_value}`: A single 196 // identity in a workload identity pool. * 197 // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global 198 // /workloadIdentityPools/{pool_id}/group/{group_id}`: A workload identity pool 199 // group. * 200 // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global 201 // /workloadIdentityPools/{pool_id}/attribute.{attribute_name}/{attribute_value} 202 // `: All identities in a workload identity pool with a certain attribute. * 203 // `principalSet://iam.googleapis.com/projects/{project_number}/locations/global 204 // /workloadIdentityPools/{pool_id}/*`: All identities in a workload identity 205 // pool. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus 206 // unique identifier) representing a user that has been recently deleted. For 207 // example, `alice@example.com?uid=123456789012345678901`. If the user is 208 // recovered, this value reverts to `user:{emailid}` and the recovered user 209 // retains the role in the binding. * 210 // `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus 211 // unique identifier) representing a service account that has been recently 212 // deleted. For example, 213 // `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the 214 // service account is undeleted, this value reverts to 215 // `serviceAccount:{emailid}` and the undeleted service account retains the 216 // role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email 217 // address (plus unique identifier) representing a Google group that has been 218 // recently deleted. For example, 219 // `admins@example.com?uid=123456789012345678901`. If the group is recovered, 220 // this value reverts to `group:{emailid}` and the recovered group retains the 221 // role in the binding. * 222 // `deleted:principal://iam.googleapis.com/locations/global/workforcePools/{pool 223 // _id}/subject/{subject_attribute_value}`: Deleted single identity in a 224 // workforce identity pool. For example, 225 // `deleted:principal://iam.googleapis.com/locations/global/workforcePools/my-po 226 // ol-id/subject/my-subject-attribute-value`. 227 Members []string `json:"members,omitempty"` 228 // Role: Role that is assigned to the list of `members`, or principals. For 229 // example, `roles/viewer`, `roles/editor`, or `roles/owner`. For an overview 230 // of the IAM roles and permissions, see the IAM documentation 231 // (https://cloud.google.com/iam/docs/roles-overview). For a list of the 232 // available pre-defined roles, see here 233 // (https://cloud.google.com/iam/docs/understanding-roles). 234 Role string `json:"role,omitempty"` 235 // ForceSendFields is a list of field names (e.g. "Condition") to 236 // unconditionally include in API requests. By default, fields with empty or 237 // default values are omitted from API requests. See 238 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 239 // details. 240 ForceSendFields []string `json:"-"` 241 // NullFields is a list of field names (e.g. "Condition") to include in API 242 // requests with the JSON null value. By default, fields with empty values are 243 // omitted from API requests. See 244 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 245 NullFields []string `json:"-"` 246 } 247 248 func (s *GoogleIamV1Binding) MarshalJSON() ([]byte, error) { 249 type NoMethod GoogleIamV1Binding 250 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 251 } 252 253 // GoogleIdentityStsV1AccessBoundary: An access boundary defines the upper 254 // bound of what a principal may access. It includes a list of access boundary 255 // rules that each defines the resource that may be allowed as well as 256 // permissions that may be used on those resources. 257 type GoogleIdentityStsV1AccessBoundary struct { 258 // AccessBoundaryRules: A list of access boundary rules which defines the upper 259 // bound of the permission a principal may carry. If multiple rules are 260 // specified, the effective access boundary is the union of all the access 261 // boundary rules attached. One access boundary can contain at most 10 rules. 262 AccessBoundaryRules []*GoogleIdentityStsV1AccessBoundaryRule `json:"accessBoundaryRules,omitempty"` 263 // ForceSendFields is a list of field names (e.g. "AccessBoundaryRules") to 264 // unconditionally include in API requests. By default, fields with empty or 265 // default values are omitted from API requests. See 266 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 267 // details. 268 ForceSendFields []string `json:"-"` 269 // NullFields is a list of field names (e.g. "AccessBoundaryRules") to include 270 // in API requests with the JSON null value. By default, fields with empty 271 // values are omitted from API requests. See 272 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 273 NullFields []string `json:"-"` 274 } 275 276 func (s *GoogleIdentityStsV1AccessBoundary) MarshalJSON() ([]byte, error) { 277 type NoMethod GoogleIdentityStsV1AccessBoundary 278 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 279 } 280 281 // GoogleIdentityStsV1AccessBoundaryRule: An access boundary rule defines an 282 // upper bound of IAM permissions on a single resource. 283 type GoogleIdentityStsV1AccessBoundaryRule struct { 284 // AvailabilityCondition: The availability condition further constrains the 285 // access allowed by the access boundary rule. If the condition evaluates to 286 // `true`, then this access boundary rule will provide access to the specified 287 // resource, assuming the principal has the required permissions for the 288 // resource. If the condition does not evaluate to `true`, then access to the 289 // specified resource will not be available. Note that all access boundary 290 // rules in an access boundary are evaluated together as a union. As such, 291 // another access boundary rule may allow access to the resource, even if this 292 // access boundary rule does not allow access. To learn which resources support 293 // conditions in their IAM policies, see the IAM documentation 294 // (https://cloud.google.com/iam/help/conditions/resource-policies). The 295 // maximum length of the `expression` field is 2048 characters. 296 AvailabilityCondition *GoogleTypeExpr `json:"availabilityCondition,omitempty"` 297 // AvailablePermissions: A list of permissions that may be allowed for use on 298 // the specified resource. The only supported values in the list are IAM roles, 299 // following the format of google.iam.v1.Binding.role. Example value: 300 // `inRole:roles/logging.viewer` for predefined roles and 301 // `inRole:organizations/{ORGANIZATION_ID}/roles/logging.viewer` for custom 302 // roles. 303 AvailablePermissions []string `json:"availablePermissions,omitempty"` 304 // AvailableResource: The full resource name of a Google Cloud resource entity. 305 // The format definition is at 306 // https://cloud.google.com/apis/design/resource_names. Example value: 307 // `//cloudresourcemanager.googleapis.com/projects/my-project`. 308 AvailableResource string `json:"availableResource,omitempty"` 309 // ForceSendFields is a list of field names (e.g. "AvailabilityCondition") to 310 // unconditionally include in API requests. By default, fields with empty or 311 // default values are omitted from API requests. See 312 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 313 // details. 314 ForceSendFields []string `json:"-"` 315 // NullFields is a list of field names (e.g. "AvailabilityCondition") to 316 // include in API requests with the JSON null value. By default, fields with 317 // empty values are omitted from API requests. See 318 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 319 NullFields []string `json:"-"` 320 } 321 322 func (s *GoogleIdentityStsV1AccessBoundaryRule) MarshalJSON() ([]byte, error) { 323 type NoMethod GoogleIdentityStsV1AccessBoundaryRule 324 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 325 } 326 327 // GoogleIdentityStsV1Options: An `Options` object configures features that the 328 // Security Token Service supports, but that are not supported by standard 329 // OAuth 2.0 token exchange endpoints, as defined in 330 // https://tools.ietf.org/html/rfc8693. 331 type GoogleIdentityStsV1Options struct { 332 // AccessBoundary: An access boundary that defines the upper bound of 333 // permissions the credential may have. The value should be a JSON object of 334 // AccessBoundary. The access boundary can include up to 10 rules. The size of 335 // the parameter value should not exceed 2048 characters. 336 AccessBoundary *GoogleIdentityStsV1AccessBoundary `json:"accessBoundary,omitempty"` 337 // UserProject: A Google project used for quota and billing purposes when the 338 // credential is used to access Google APIs. The provided project overrides the 339 // project bound to the credential. The value must be a project number or a 340 // project ID. Example: `my-sample-project-191923`. The maximum length is 32 341 // characters. 342 UserProject string `json:"userProject,omitempty"` 343 // ForceSendFields is a list of field names (e.g. "AccessBoundary") to 344 // unconditionally include in API requests. By default, fields with empty or 345 // default values are omitted from API requests. See 346 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 347 // details. 348 ForceSendFields []string `json:"-"` 349 // NullFields is a list of field names (e.g. "AccessBoundary") to include in 350 // API requests with the JSON null value. By default, fields with empty values 351 // are omitted from API requests. See 352 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 353 NullFields []string `json:"-"` 354 } 355 356 func (s *GoogleIdentityStsV1Options) MarshalJSON() ([]byte, error) { 357 type NoMethod GoogleIdentityStsV1Options 358 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 359 } 360 361 // GoogleIdentityStsV1betaAccessBoundary: An access boundary defines the upper 362 // bound of what a principal may access. It includes a list of access boundary 363 // rules that each defines the resource that may be allowed as well as 364 // permissions that may be used on those resources. 365 type GoogleIdentityStsV1betaAccessBoundary struct { 366 // AccessBoundaryRules: A list of access boundary rules which defines the upper 367 // bound of the permission a principal may carry. If multiple rules are 368 // specified, the effective access boundary is the union of all the access 369 // boundary rules attached. One access boundary can contain at most 10 rules. 370 AccessBoundaryRules []*GoogleIdentityStsV1betaAccessBoundaryRule `json:"accessBoundaryRules,omitempty"` 371 // ForceSendFields is a list of field names (e.g. "AccessBoundaryRules") to 372 // unconditionally include in API requests. By default, fields with empty or 373 // default values are omitted from API requests. See 374 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 375 // details. 376 ForceSendFields []string `json:"-"` 377 // NullFields is a list of field names (e.g. "AccessBoundaryRules") to include 378 // in API requests with the JSON null value. By default, fields with empty 379 // values are omitted from API requests. See 380 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 381 NullFields []string `json:"-"` 382 } 383 384 func (s *GoogleIdentityStsV1betaAccessBoundary) MarshalJSON() ([]byte, error) { 385 type NoMethod GoogleIdentityStsV1betaAccessBoundary 386 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 387 } 388 389 // GoogleIdentityStsV1betaAccessBoundaryRule: An access boundary rule defines 390 // an upper bound of IAM permissions on a single resource. 391 type GoogleIdentityStsV1betaAccessBoundaryRule struct { 392 // AvailabilityCondition: The availability condition further constrains the 393 // access allowed by the access boundary rule. If the condition evaluates to 394 // `true`, then this access boundary rule will provide access to the specified 395 // resource, assuming the principal has the required permissions for the 396 // resource. If the condition does not evaluate to `true`, then access to the 397 // specified resource will not be available. Note that all access boundary 398 // rules in an access boundary are evaluated together as a union. As such, 399 // another access boundary rule may allow access to the resource, even if this 400 // access boundary rule does not allow access. To learn which resources support 401 // conditions in their IAM policies, see the IAM documentation 402 // (https://cloud.google.com/iam/help/conditions/resource-policies). The 403 // maximum length of the `expression` field is 2048 characters. 404 AvailabilityCondition *GoogleTypeExpr `json:"availabilityCondition,omitempty"` 405 // AvailablePermissions: A list of permissions that may be allowed for use on 406 // the specified resource. The only supported values in the list are IAM roles, 407 // following the format of google.iam.v1.Binding.role. Example value: 408 // `inRole:roles/logging.viewer` for predefined roles and 409 // `inRole:organizations/{ORGANIZATION_ID}/roles/logging.viewer` for custom 410 // roles. 411 AvailablePermissions []string `json:"availablePermissions,omitempty"` 412 // AvailableResource: The full resource name of a Google Cloud resource entity. 413 // The format definition is at 414 // https://cloud.google.com/apis/design/resource_names. Example value: 415 // `//cloudresourcemanager.googleapis.com/projects/my-project`. 416 AvailableResource string `json:"availableResource,omitempty"` 417 // ForceSendFields is a list of field names (e.g. "AvailabilityCondition") to 418 // unconditionally include in API requests. By default, fields with empty or 419 // default values are omitted from API requests. See 420 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 421 // details. 422 ForceSendFields []string `json:"-"` 423 // NullFields is a list of field names (e.g. "AvailabilityCondition") to 424 // include in API requests with the JSON null value. By default, fields with 425 // empty values are omitted from API requests. See 426 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 427 NullFields []string `json:"-"` 428 } 429 430 func (s *GoogleIdentityStsV1betaAccessBoundaryRule) MarshalJSON() ([]byte, error) { 431 type NoMethod GoogleIdentityStsV1betaAccessBoundaryRule 432 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 433 } 434 435 // GoogleIdentityStsV1betaExchangeTokenRequest: Request message for 436 // ExchangeToken. 437 type GoogleIdentityStsV1betaExchangeTokenRequest struct { 438 // Audience: The full resource name of the identity provider. For example, 439 // `//iam.googleapis.com/projects//locations/global/workloadIdentityPools//provi 440 // ders/`. Required when exchanging an external credential for a Google access 441 // token. 442 Audience string `json:"audience,omitempty"` 443 // GrantType: Required. The grant type. Must be 444 // `urn:ietf:params:oauth:grant-type:token-exchange`, which indicates a token 445 // exchange. 446 GrantType string `json:"grantType,omitempty"` 447 // Options: A set of features that Security Token Service supports, in addition 448 // to the standard OAuth 2.0 token exchange, formatted as a serialized JSON 449 // object of Options. The size of the parameter value must not exceed 4096 450 // characters. 451 Options string `json:"options,omitempty"` 452 // RequestedTokenType: Required. The type of security token. Must be 453 // `urn:ietf:params:oauth:token-type:access_token`, which indicates an OAuth 454 // 2.0 access token. 455 RequestedTokenType string `json:"requestedTokenType,omitempty"` 456 // Scope: The OAuth 2.0 scopes to include on the resulting access token, 457 // formatted as a list of space-delimited, case-sensitive strings. Required 458 // when exchanging an external credential for a Google access token. 459 Scope string `json:"scope,omitempty"` 460 // SubjectToken: Required. The input token. This token is either an external 461 // credential issued by a workload identity pool provider, or a short-lived 462 // access token issued by Google. If the token is an OIDC JWT, it must use the 463 // JWT format defined in RFC 7523 (https://tools.ietf.org/html/rfc7523), and 464 // the `subject_token_type` must be either 465 // `urn:ietf:params:oauth:token-type:jwt` or 466 // `urn:ietf:params:oauth:token-type:id_token`. The following headers are 467 // required: - `kid`: The identifier of the signing key securing the JWT. - 468 // `alg`: The cryptographic algorithm securing the JWT. Must be `RS256` or 469 // `ES256`. The following payload fields are required. For more information, 470 // see RFC 7523, Section 3 (https://tools.ietf.org/html/rfc7523#section-3): - 471 // `iss`: The issuer of the token. The issuer must provide a discovery document 472 // at the URL `/.well-known/openid-configuration`, where `` is the value of 473 // this field. The document must be formatted according to section 4.2 of the 474 // OIDC 1.0 Discovery specification 475 // (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). 476 // - `iat`: The issue time, in seconds, since the Unix epoch. Must be in the 477 // past. - `exp`: The expiration time, in seconds, since the Unix epoch. Must 478 // be less than 48 hours after `iat`. Shorter expiration times are more secure. 479 // If possible, we recommend setting an expiration time less than 6 hours. - 480 // `sub`: The identity asserted in the JWT. - `aud`: For workload identity 481 // pools, this must be a value specified in the allowed audiences for the 482 // workload identity pool provider, or one of the audiences allowed by default 483 // if no audiences were specified. See 484 // https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers#oidc 485 // Example header: ``` { "alg": "RS256", "kid": "us-east-11" } ``` Example 486 // payload: ``` { "iss": "https://accounts.google.com", "iat": 1517963104, 487 // "exp": 1517966704, "aud": 488 // "//iam.googleapis.com/projects/1234567890123/locations/global/workloadIdentit 489 // yPools/my-pool/providers/my-provider", "sub": "113475438248934895348", 490 // "my_claims": { "additional_claim": "value" } } ``` If `subject_token` is for 491 // AWS, it must be a serialized `GetCallerIdentity` token. This token contains 492 // the same information as a request to the AWS `GetCallerIdentity()` 493 // (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity) 494 // method, as well as the AWS signature 495 // (https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) 496 // for the request information. Use Signature Version 4. Format the request as 497 // URL-encoded JSON, and set the `subject_token_type` parameter to 498 // `urn:ietf:params:aws:token-type:aws4_request`. The following parameters are 499 // required: - `url`: The URL of the AWS STS endpoint for 500 // `GetCallerIdentity()`, such as 501 // `https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15`. 502 // Regional endpoints are also supported. - `method`: The HTTP request method: 503 // `POST`. - `headers`: The HTTP request headers, which must include: - 504 // `Authorization`: The request signature. - `x-amz-date`: The time you will 505 // send the request, formatted as an ISO8601 Basic 506 // (https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#sigv4_elements_date) 507 // string. This value is typically set to the current time and is used to help 508 // prevent replay attacks. - `host`: The hostname of the `url` field; for 509 // example, `sts.amazonaws.com`. - `x-goog-cloud-target-resource`: The full, 510 // canonical resource name of the workload identity pool provider, with or 511 // without an `https:` prefix. To help ensure data integrity, we recommend 512 // including this header in the `SignedHeaders` field of the signed request. 513 // For example: 514 // //iam.googleapis.com/projects//locations/global/workloadIdentityPools//provid 515 // ers/ 516 // https://iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/ 517 // If you are using temporary security credentials provided by AWS, you must 518 // also include the header `x-amz-security-token`, with the value set to the 519 // session token. The following example shows a `GetCallerIdentity` token: ``` 520 // { "headers": [ {"key": "x-amz-date", "value": "20200815T015049Z"}, {"key": 521 // "Authorization", "value": 522 // "AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-date;x-goo 523 // g-cloud-target-resource,+Signature=$signature"}, {"key": 524 // "x-goog-cloud-target-resource", "value": 525 // "//iam.googleapis.com/projects//locations/global/workloadIdentityPools//provi 526 // ders/"}, {"key": "host", "value": "sts.amazonaws.com"} . ], "method": 527 // "POST", "url": 528 // "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" } 529 // ``` You can also use a Google-issued OAuth 2.0 access token with this field 530 // to obtain an access token with new security attributes applied, such as a 531 // Credential Access Boundary. In this case, set `subject_token_type` to 532 // `urn:ietf:params:oauth:token-type:access_token`. If an access token already 533 // contains security attributes, you cannot apply additional security 534 // attributes. 535 SubjectToken string `json:"subjectToken,omitempty"` 536 // SubjectTokenType: Required. An identifier that indicates the type of the 537 // security token in the `subject_token` parameter. Supported values are 538 // `urn:ietf:params:oauth:token-type:jwt`, 539 // `urn:ietf:params:oauth:token-type:id_token`, 540 // `urn:ietf:params:aws:token-type:aws4_request`, and 541 // `urn:ietf:params:oauth:token-type:access_token`. 542 SubjectTokenType string `json:"subjectTokenType,omitempty"` 543 // ForceSendFields is a list of field names (e.g. "Audience") to 544 // unconditionally include in API requests. By default, fields with empty or 545 // default values are omitted from API requests. See 546 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 547 // details. 548 ForceSendFields []string `json:"-"` 549 // NullFields is a list of field names (e.g. "Audience") to include in API 550 // requests with the JSON null value. By default, fields with empty values are 551 // omitted from API requests. See 552 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 553 NullFields []string `json:"-"` 554 } 555 556 func (s *GoogleIdentityStsV1betaExchangeTokenRequest) MarshalJSON() ([]byte, error) { 557 type NoMethod GoogleIdentityStsV1betaExchangeTokenRequest 558 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 559 } 560 561 // GoogleIdentityStsV1betaExchangeTokenResponse: Response message for 562 // ExchangeToken. 563 type GoogleIdentityStsV1betaExchangeTokenResponse struct { 564 // AccessToken: An OAuth 2.0 security token, issued by Google, in response to 565 // the token exchange request. Tokens can vary in size, depending in part on 566 // the size of mapped claims, up to a maximum of 12288 bytes (12 KB). Google 567 // reserves the right to change the token size and the maximum length at any 568 // time. 569 AccessToken string `json:"access_token,omitempty"` 570 // ExpiresIn: The amount of time, in seconds, between the time when the access 571 // token was issued and the time when the access token will expire. This field 572 // is absent when the `subject_token` in the request is a Google-issued, 573 // short-lived access token. In this case, the access token has the same 574 // expiration time as the `subject_token`. 575 ExpiresIn int64 `json:"expires_in,omitempty"` 576 // IssuedTokenType: The token type. Always matches the value of 577 // `requested_token_type` from the request. 578 IssuedTokenType string `json:"issued_token_type,omitempty"` 579 // TokenType: The type of access token. Always has the value `Bearer`. 580 TokenType string `json:"token_type,omitempty"` 581 582 // ServerResponse contains the HTTP response code and headers from the server. 583 googleapi.ServerResponse `json:"-"` 584 // ForceSendFields is a list of field names (e.g. "AccessToken") to 585 // unconditionally include in API requests. By default, fields with empty or 586 // default values are omitted from API requests. See 587 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 588 // details. 589 ForceSendFields []string `json:"-"` 590 // NullFields is a list of field names (e.g. "AccessToken") to include in API 591 // requests with the JSON null value. By default, fields with empty values are 592 // omitted from API requests. See 593 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 594 NullFields []string `json:"-"` 595 } 596 597 func (s *GoogleIdentityStsV1betaExchangeTokenResponse) MarshalJSON() ([]byte, error) { 598 type NoMethod GoogleIdentityStsV1betaExchangeTokenResponse 599 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 600 } 601 602 // GoogleIdentityStsV1betaOptions: An `Options` object configures features that 603 // the Security Token Service supports, but that are not supported by standard 604 // OAuth 2.0 token exchange endpoints, as defined in 605 // https://tools.ietf.org/html/rfc8693. 606 type GoogleIdentityStsV1betaOptions struct { 607 // AccessBoundary: An access boundary that defines the upper bound of 608 // permissions the credential may have. The value should be a JSON object of 609 // AccessBoundary. The access boundary can include up to 10 rules. The size of 610 // the parameter value should not exceed 2048 characters. 611 AccessBoundary *GoogleIdentityStsV1betaAccessBoundary `json:"accessBoundary,omitempty"` 612 // UserProject: A Google project used for quota and billing purposes when the 613 // credential is used to access Google APIs. The provided project overrides the 614 // project bound to the credential. The value must be a project number or a 615 // project ID. Example: `my-sample-project-191923`. The maximum length is 32 616 // characters. 617 UserProject string `json:"userProject,omitempty"` 618 // ForceSendFields is a list of field names (e.g. "AccessBoundary") to 619 // unconditionally include in API requests. By default, fields with empty or 620 // default values are omitted from API requests. See 621 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 622 // details. 623 ForceSendFields []string `json:"-"` 624 // NullFields is a list of field names (e.g. "AccessBoundary") to include in 625 // API requests with the JSON null value. By default, fields with empty values 626 // are omitted from API requests. See 627 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 628 NullFields []string `json:"-"` 629 } 630 631 func (s *GoogleIdentityStsV1betaOptions) MarshalJSON() ([]byte, error) { 632 type NoMethod GoogleIdentityStsV1betaOptions 633 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 634 } 635 636 // GoogleTypeExpr: Represents a textual expression in the Common Expression 637 // Language (CEL) syntax. CEL is a C-like expression language. The syntax and 638 // semantics of CEL are documented at https://github.com/google/cel-spec. 639 // Example (Comparison): title: "Summary size limit" description: "Determines 640 // if a summary is less than 100 chars" expression: "document.summary.size() < 641 // 100" Example (Equality): title: "Requestor is owner" description: 642 // "Determines if requestor is the document owner" expression: "document.owner 643 // == request.auth.claims.email" Example (Logic): title: "Public documents" 644 // description: "Determine whether the document should be publicly visible" 645 // expression: "document.type != 'private' && document.type != 'internal'" 646 // Example (Data Manipulation): title: "Notification string" description: 647 // "Create a notification string with a timestamp." expression: "'New message 648 // received at ' + string(document.create_time)" The exact variables and 649 // functions that may be referenced within an expression are determined by the 650 // service that evaluates it. See the service documentation for additional 651 // information. 652 type GoogleTypeExpr struct { 653 // Description: Optional. Description of the expression. This is a longer text 654 // which describes the expression, e.g. when hovered over it in a UI. 655 Description string `json:"description,omitempty"` 656 // Expression: Textual representation of an expression in Common Expression 657 // Language syntax. 658 Expression string `json:"expression,omitempty"` 659 // Location: Optional. String indicating the location of the expression for 660 // error reporting, e.g. a file name and a position in the file. 661 Location string `json:"location,omitempty"` 662 // Title: Optional. Title for the expression, i.e. a short string describing 663 // its purpose. This can be used e.g. in UIs which allow to enter the 664 // expression. 665 Title string `json:"title,omitempty"` 666 // ForceSendFields is a list of field names (e.g. "Description") to 667 // unconditionally include in API requests. By default, fields with empty or 668 // default values are omitted from API requests. See 669 // https://pkg.go.dev/google.golang.org/api#hdr-ForceSendFields for more 670 // details. 671 ForceSendFields []string `json:"-"` 672 // NullFields is a list of field names (e.g. "Description") to include in API 673 // requests with the JSON null value. By default, fields with empty values are 674 // omitted from API requests. See 675 // https://pkg.go.dev/google.golang.org/api#hdr-NullFields for more details. 676 NullFields []string `json:"-"` 677 } 678 679 func (s *GoogleTypeExpr) MarshalJSON() ([]byte, error) { 680 type NoMethod GoogleTypeExpr 681 return gensupport.MarshalJSON(NoMethod(*s), s.ForceSendFields, s.NullFields) 682 } 683 684 type V1betaTokenCall struct { 685 s *Service 686 googleidentitystsv1betaexchangetokenrequest *GoogleIdentityStsV1betaExchangeTokenRequest 687 urlParams_ gensupport.URLParams 688 ctx_ context.Context 689 header_ http.Header 690 } 691 692 // Token: Exchanges a credential for a Google OAuth 2.0 access token. The token 693 // asserts an external identity within a workload identity pool, or it applies 694 // a Credential Access Boundary to a Google access token. When you call this 695 // method, do not send the `Authorization` HTTP header in the request. This 696 // method does not require the `Authorization` header, and using the header can 697 // cause the request to fail. 698 func (r *V1betaService) Token(googleidentitystsv1betaexchangetokenrequest *GoogleIdentityStsV1betaExchangeTokenRequest) *V1betaTokenCall { 699 c := &V1betaTokenCall{s: r.s, urlParams_: make(gensupport.URLParams)} 700 c.googleidentitystsv1betaexchangetokenrequest = googleidentitystsv1betaexchangetokenrequest 701 return c 702 } 703 704 // Fields allows partial responses to be retrieved. See 705 // https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more 706 // details. 707 func (c *V1betaTokenCall) Fields(s ...googleapi.Field) *V1betaTokenCall { 708 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 709 return c 710 } 711 712 // Context sets the context to be used in this call's Do method. 713 func (c *V1betaTokenCall) Context(ctx context.Context) *V1betaTokenCall { 714 c.ctx_ = ctx 715 return c 716 } 717 718 // Header returns a http.Header that can be modified by the caller to add 719 // headers to the request. 720 func (c *V1betaTokenCall) Header() http.Header { 721 if c.header_ == nil { 722 c.header_ = make(http.Header) 723 } 724 return c.header_ 725 } 726 727 func (c *V1betaTokenCall) doRequest(alt string) (*http.Response, error) { 728 reqHeaders := gensupport.SetHeaders(c.s.userAgent(), "application/json", c.header_) 729 var body io.Reader = nil 730 body, err := googleapi.WithoutDataWrapper.JSONReader(c.googleidentitystsv1betaexchangetokenrequest) 731 if err != nil { 732 return nil, err 733 } 734 c.urlParams_.Set("alt", alt) 735 c.urlParams_.Set("prettyPrint", "false") 736 urls := googleapi.ResolveRelative(c.s.BasePath, "v1beta/token") 737 urls += "?" + c.urlParams_.Encode() 738 req, err := http.NewRequest("POST", urls, body) 739 if err != nil { 740 return nil, err 741 } 742 req.Header = reqHeaders 743 return gensupport.SendRequest(c.ctx_, c.s.client, req) 744 } 745 746 // Do executes the "sts.token" call. 747 // Any non-2xx status code is an error. Response headers are in either 748 // *GoogleIdentityStsV1betaExchangeTokenResponse.ServerResponse.Header or (if a 749 // response was returned at all) in error.(*googleapi.Error).Header. Use 750 // googleapi.IsNotModified to check whether the returned error was because 751 // http.StatusNotModified was returned. 752 func (c *V1betaTokenCall) Do(opts ...googleapi.CallOption) (*GoogleIdentityStsV1betaExchangeTokenResponse, error) { 753 gensupport.SetOptions(c.urlParams_, opts...) 754 res, err := c.doRequest("json") 755 if res != nil && res.StatusCode == http.StatusNotModified { 756 if res.Body != nil { 757 res.Body.Close() 758 } 759 return nil, gensupport.WrapError(&googleapi.Error{ 760 Code: res.StatusCode, 761 Header: res.Header, 762 }) 763 } 764 if err != nil { 765 return nil, err 766 } 767 defer googleapi.CloseBody(res) 768 if err := googleapi.CheckResponse(res); err != nil { 769 return nil, gensupport.WrapError(err) 770 } 771 ret := &GoogleIdentityStsV1betaExchangeTokenResponse{ 772 ServerResponse: googleapi.ServerResponse{ 773 Header: res.Header, 774 HTTPStatusCode: res.StatusCode, 775 }, 776 } 777 target := &ret 778 if err := gensupport.DecodeResponse(target, res); err != nil { 779 return nil, err 780 } 781 return ret, nil 782 } 783