1// Copyright 2021 Google LLC. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5// Code generated file. DO NOT EDIT. 6 7// Package sts provides access to the Security Token Service API. 8// 9// For product documentation, see: http://cloud.google.com/iam/docs/workload-identity-federation 10// 11// Creating a client 12// 13// Usage example: 14// 15// import "google.golang.org/api/sts/v1" 16// ... 17// ctx := context.Background() 18// stsService, err := sts.NewService(ctx) 19// 20// In this example, Google Application Default Credentials are used for authentication. 21// 22// For information on how to create and obtain Application Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials. 23// 24// Other authentication options 25// 26// To use an API key for authentication (note: some APIs do not support API keys), use option.WithAPIKey: 27// 28// stsService, err := sts.NewService(ctx, option.WithAPIKey("AIza...")) 29// 30// To use an OAuth token (e.g., a user token obtained via a three-legged OAuth flow), use option.WithTokenSource: 31// 32// config := &oauth2.Config{...} 33// // ... 34// token, err := config.Exchange(ctx, ...) 35// stsService, err := sts.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token))) 36// 37// See https://godoc.org/google.golang.org/api/option/ for details on options. 38package sts // import "google.golang.org/api/sts/v1" 39 40import ( 41 "bytes" 42 "context" 43 "encoding/json" 44 "errors" 45 "fmt" 46 "io" 47 "net/http" 48 "net/url" 49 "strconv" 50 "strings" 51 52 googleapi "google.golang.org/api/googleapi" 53 gensupport "google.golang.org/api/internal/gensupport" 54 option "google.golang.org/api/option" 55 internaloption "google.golang.org/api/option/internaloption" 56 htransport "google.golang.org/api/transport/http" 57) 58 59// Always reference these packages, just in case the auto-generated code 60// below doesn't. 61var _ = bytes.NewBuffer 62var _ = strconv.Itoa 63var _ = fmt.Sprintf 64var _ = json.NewDecoder 65var _ = io.Copy 66var _ = url.Parse 67var _ = gensupport.MarshalJSON 68var _ = googleapi.Version 69var _ = errors.New 70var _ = strings.Replace 71var _ = context.Canceled 72var _ = internaloption.WithDefaultEndpoint 73 74const apiId = "sts:v1" 75const apiName = "sts" 76const apiVersion = "v1" 77const basePath = "https://sts.googleapis.com/" 78const mtlsBasePath = "https://sts.mtls.googleapis.com/" 79 80// NewService creates a new Service. 81func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error) { 82 opts = append(opts, internaloption.WithDefaultEndpoint(basePath)) 83 opts = append(opts, internaloption.WithDefaultMTLSEndpoint(mtlsBasePath)) 84 client, endpoint, err := htransport.NewClient(ctx, opts...) 85 if err != nil { 86 return nil, err 87 } 88 s, err := New(client) 89 if err != nil { 90 return nil, err 91 } 92 if endpoint != "" { 93 s.BasePath = endpoint 94 } 95 return s, nil 96} 97 98// New creates a new Service. It uses the provided http.Client for requests. 99// 100// Deprecated: please use NewService instead. 101// To provide a custom HTTP client, use option.WithHTTPClient. 102// If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead. 103func New(client *http.Client) (*Service, error) { 104 if client == nil { 105 return nil, errors.New("client is nil") 106 } 107 s := &Service{client: client, BasePath: basePath} 108 s.V1 = NewV1Service(s) 109 return s, nil 110} 111 112type Service struct { 113 client *http.Client 114 BasePath string // API endpoint base URL 115 UserAgent string // optional additional User-Agent fragment 116 117 V1 *V1Service 118} 119 120func (s *Service) userAgent() string { 121 if s.UserAgent == "" { 122 return googleapi.UserAgent 123 } 124 return googleapi.UserAgent + " " + s.UserAgent 125} 126 127func NewV1Service(s *Service) *V1Service { 128 rs := &V1Service{s: s} 129 return rs 130} 131 132type V1Service struct { 133 s *Service 134} 135 136// GoogleIamV1Binding: Associates `members` with a `role`. 137type GoogleIamV1Binding struct { 138 // Condition: The condition that is associated with this binding. If the 139 // condition evaluates to `true`, then this binding applies to the 140 // current request. If the condition evaluates to `false`, then this 141 // binding does not apply to the current request. However, a different 142 // role binding might grant the same role to one or more of the members 143 // in this binding. To learn which resources support conditions in their 144 // IAM policies, see the IAM documentation 145 // (https://cloud.google.com/iam/help/conditions/resource-policies). 146 Condition *GoogleTypeExpr `json:"condition,omitempty"` 147 148 // Members: Specifies the identities requesting access for a Cloud 149 // Platform resource. `members` can have the following values: * 150 // `allUsers`: A special identifier that represents anyone who is on the 151 // internet; with or without a Google account. * 152 // `allAuthenticatedUsers`: A special identifier that represents anyone 153 // who is authenticated with a Google account or a service account. * 154 // `user:{emailid}`: An email address that represents a specific Google 155 // account. For example, `alice@example.com` . * 156 // `serviceAccount:{emailid}`: An email address that represents a 157 // service account. For example, 158 // `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An 159 // email address that represents a Google group. For example, 160 // `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An 161 // email address (plus unique identifier) representing a user that has 162 // been recently deleted. For example, 163 // `alice@example.com?uid=123456789012345678901`. If the user is 164 // recovered, this value reverts to `user:{emailid}` and the recovered 165 // user retains the role in the binding. * 166 // `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address 167 // (plus unique identifier) representing a service account that has been 168 // recently deleted. For example, 169 // `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. 170 // If the service account is undeleted, this value reverts to 171 // `serviceAccount:{emailid}` and the undeleted service account retains 172 // the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: 173 // An email address (plus unique identifier) representing a Google group 174 // that has been recently deleted. For example, 175 // `admins@example.com?uid=123456789012345678901`. If the group is 176 // recovered, this value reverts to `group:{emailid}` and the recovered 177 // group retains the role in the binding. * `domain:{domain}`: The G 178 // Suite domain (primary) that represents all the users of that domain. 179 // For example, `google.com` or `example.com`. 180 Members []string `json:"members,omitempty"` 181 182 // Role: Role that is assigned to `members`. For example, 183 // `roles/viewer`, `roles/editor`, or `roles/owner`. 184 Role string `json:"role,omitempty"` 185 186 // ForceSendFields is a list of field names (e.g. "Condition") to 187 // unconditionally include in API requests. By default, fields with 188 // empty or default values are omitted from API requests. However, any 189 // non-pointer, non-interface field appearing in ForceSendFields will be 190 // sent to the server regardless of whether the field is empty or not. 191 // This may be used to include empty fields in Patch requests. 192 ForceSendFields []string `json:"-"` 193 194 // NullFields is a list of field names (e.g. "Condition") to include in 195 // API requests with the JSON null value. By default, fields with empty 196 // values are omitted from API requests. However, any field with an 197 // empty value appearing in NullFields will be sent to the server as 198 // null. It is an error if a field in this list has a non-empty value. 199 // This may be used to include null fields in Patch requests. 200 NullFields []string `json:"-"` 201} 202 203func (s *GoogleIamV1Binding) MarshalJSON() ([]byte, error) { 204 type NoMethod GoogleIamV1Binding 205 raw := NoMethod(*s) 206 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 207} 208 209// GoogleIdentityStsV1AccessBoundary: An access boundary defines the 210// upper bound of what a principal may access. It includes a list of 211// access boundary rules that each defines the resource that may be 212// allowed as well as permissions that may be used on those resources. 213type GoogleIdentityStsV1AccessBoundary struct { 214 // AccessBoundaryRules: A list of access boundary rules which defines 215 // the upper bound of the permission a principal may carry. If multiple 216 // rules are specified, the effective access boundary is the union of 217 // all the access boundary rules attached. One access boundary can 218 // contain at most 10 rules. 219 AccessBoundaryRules []*GoogleIdentityStsV1AccessBoundaryRule `json:"accessBoundaryRules,omitempty"` 220 221 // ForceSendFields is a list of field names (e.g. "AccessBoundaryRules") 222 // to unconditionally include in API requests. By default, fields with 223 // empty or default values are omitted from API requests. However, any 224 // non-pointer, non-interface field appearing in ForceSendFields will be 225 // sent to the server regardless of whether the field is empty or not. 226 // This may be used to include empty fields in Patch requests. 227 ForceSendFields []string `json:"-"` 228 229 // NullFields is a list of field names (e.g. "AccessBoundaryRules") to 230 // include in API requests with the JSON null value. By default, fields 231 // with empty values are omitted from API requests. However, any field 232 // with an empty value appearing in NullFields will be sent to the 233 // server as null. It is an error if a field in this list has a 234 // non-empty value. This may be used to include null fields in Patch 235 // requests. 236 NullFields []string `json:"-"` 237} 238 239func (s *GoogleIdentityStsV1AccessBoundary) MarshalJSON() ([]byte, error) { 240 type NoMethod GoogleIdentityStsV1AccessBoundary 241 raw := NoMethod(*s) 242 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 243} 244 245// GoogleIdentityStsV1AccessBoundaryRule: An access boundary rule 246// defines an upper bound of IAM permissions on a single resource. 247type GoogleIdentityStsV1AccessBoundaryRule struct { 248 // AvailabilityCondition: The availability condition further constrains 249 // the access allowed by the access boundary rule. If the condition 250 // evaluates to `true`, then this access boundary rule will provide 251 // access to the specified resource, assuming the principal has the 252 // required permissions for the resource. If the condition does not 253 // evaluate to `true`, then access to the specified resource will not be 254 // available. Note that all access boundary rules in an access boundary 255 // are evaluated together as a union. As such, another access boundary 256 // rule may allow access to the resource, even if this access boundary 257 // rule does not allow access. To learn which resources support 258 // conditions in their IAM policies, see the IAM documentation 259 // (https://cloud.google.com/iam/help/conditions/resource-policies). The 260 // maximum length of the `expression` field is 2048 characters. 261 AvailabilityCondition *GoogleTypeExpr `json:"availabilityCondition,omitempty"` 262 263 // AvailablePermissions: A list of permissions that may be allowed for 264 // use on the specified resource. The only supported values in the list 265 // are IAM roles, following the format of google.iam.v1.Binding.role. 266 // Example value: `inRole:roles/logging.viewer` for predefined roles and 267 // `inRole:organizations/{ORGANIZATION_ID}/roles/logging.viewer` for 268 // custom roles. 269 AvailablePermissions []string `json:"availablePermissions,omitempty"` 270 271 // AvailableResource: The full resource name of a Google Cloud resource 272 // entity. The format definition is at 273 // https://cloud.google.com/apis/design/resource_names. Example value: 274 // `//cloudresourcemanager.googleapis.com/projects/my-project`. 275 AvailableResource string `json:"availableResource,omitempty"` 276 277 // ForceSendFields is a list of field names (e.g. 278 // "AvailabilityCondition") to unconditionally include in API requests. 279 // By default, fields with empty or default values are omitted from API 280 // requests. However, any non-pointer, non-interface field appearing in 281 // ForceSendFields will be sent to the server regardless of whether the 282 // field is empty or not. This may be used to include empty fields in 283 // Patch requests. 284 ForceSendFields []string `json:"-"` 285 286 // NullFields is a list of field names (e.g. "AvailabilityCondition") to 287 // include in API requests with the JSON null value. By default, fields 288 // with empty values are omitted from API requests. However, any field 289 // with an empty value appearing in NullFields will be sent to the 290 // server as null. It is an error if a field in this list has a 291 // non-empty value. This may be used to include null fields in Patch 292 // requests. 293 NullFields []string `json:"-"` 294} 295 296func (s *GoogleIdentityStsV1AccessBoundaryRule) MarshalJSON() ([]byte, error) { 297 type NoMethod GoogleIdentityStsV1AccessBoundaryRule 298 raw := NoMethod(*s) 299 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 300} 301 302// GoogleIdentityStsV1ExchangeTokenRequest: Request message for 303// ExchangeToken. 304type GoogleIdentityStsV1ExchangeTokenRequest struct { 305 // Audience: The full resource name of the identity provider; for 306 // example: 307 // `//iam.googleapis.com/projects//locations/global/workloadIdentityPools 308 // //providers/`. Required when exchanging an external credential for a 309 // Google access token. 310 Audience string `json:"audience,omitempty"` 311 312 // GrantType: Required. The grant type. Must be 313 // `urn:ietf:params:oauth:grant-type:token-exchange`, which indicates a 314 // token exchange. 315 GrantType string `json:"grantType,omitempty"` 316 317 // Options: A set of features that Security Token Service supports, in 318 // addition to the standard OAuth 2.0 token exchange, formatted as a 319 // serialized JSON object of Options. 320 Options string `json:"options,omitempty"` 321 322 // RequestedTokenType: Required. An identifier for the type of requested 323 // security token. Must be 324 // `urn:ietf:params:oauth:token-type:access_token`. 325 RequestedTokenType string `json:"requestedTokenType,omitempty"` 326 327 // Scope: The OAuth 2.0 scopes to include on the resulting access token, 328 // formatted as a list of space-delimited, case-sensitive strings. 329 // Required when exchanging an external credential for a Google access 330 // token. 331 Scope string `json:"scope,omitempty"` 332 333 // SubjectToken: Required. The input token. This token is either an 334 // external credential issued by a workload identity pool provider, or a 335 // short-lived access token issued by Google. If the token is an OIDC 336 // JWT, it must use the JWT format defined in RFC 7523 337 // (https://tools.ietf.org/html/rfc7523), and the `subject_token_type` 338 // must be either `urn:ietf:params:oauth:token-type:jwt` or 339 // `urn:ietf:params:oauth:token-type:id_token`. The following headers 340 // are required: - `kid`: The identifier of the signing key securing the 341 // JWT. - `alg`: The cryptographic algorithm securing the JWT. Must be 342 // `RS256` or `ES256`. The following payload fields are required. For 343 // more information, see RFC 7523, Section 3 344 // (https://tools.ietf.org/html/rfc7523#section-3): - `iss`: The issuer 345 // of the token. The issuer must provide a discovery document at the URL 346 // `/.well-known/openid-configuration`, where `` is the value of this 347 // field. The document must be formatted according to section 4.2 of the 348 // OIDC 1.0 Discovery specification 349 // (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). 350 // - `iat`: The issue time, in seconds, since the Unix epoch. Must be in 351 // the past. - `exp`: The expiration time, in seconds, since the Unix 352 // epoch. Must be less than 48 hours after `iat`. Shorter expiration 353 // times are more secure. If possible, we recommend setting an 354 // expiration time less than 6 hours. - `sub`: The identity asserted in 355 // the JWT. - `aud`: For workload identity pools, this must be a value 356 // specified in the allowed audiences for the workload identity pool 357 // provider, or one of the audiences allowed by default if no audiences 358 // were specified. See 359 // https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers#oidc 360 // Example header: ``` { "alg": "RS256", "kid": "us-east-11" } ``` 361 // Example payload: ``` { "iss": "https://accounts.google.com", "iat": 362 // 1517963104, "exp": 1517966704, "aud": 363 // "//iam.googleapis.com/projects/1234567890123/locations/global/workload 364 // IdentityPools/my-pool/providers/my-provider", "sub": 365 // "113475438248934895348", "my_claims": { "additional_claim": "value" } 366 // } ``` If `subject_token` is for AWS, it must be a serialized 367 // `GetCallerIdentity` token. This token contains the same information 368 // as a request to the AWS `GetCallerIdentity()` 369 // (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity) 370 // method, as well as the AWS signature 371 // (https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) 372 // for the request information. Use Signature Version 4. Format the 373 // request as URL-encoded JSON, and set the `subject_token_type` 374 // parameter to `urn:ietf:params:aws:token-type:aws4_request`. The 375 // following parameters are required: - `url`: The URL of the AWS STS 376 // endpoint for `GetCallerIdentity()`, such as 377 // `https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15 378 // `. Regional endpoints are also supported. - `method`: The HTTP 379 // request method: `POST`. - `headers`: The HTTP request headers, which 380 // must include: - `Authorization`: The request signature. - 381 // `x-amz-date`: The time you will send the request, formatted as an 382 // ISO8601 Basic 383 // (https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#sigv4_elements_date) 384 // string. This value is typically set to the current time and is used 385 // to help prevent replay attacks. - `host`: The hostname of the `url` 386 // field; for example, `sts.amazonaws.com`. - 387 // `x-goog-cloud-target-resource`: The full, canonical resource name of 388 // the workload identity pool provider, with or without an `https:` 389 // prefix. To help ensure data integrity, we recommend including this 390 // header in the `SignedHeaders` field of the signed request. For 391 // example: 392 // //iam.googleapis.com/projects//locations/global/workloadIdentityPools/ 393 // /providers/ 394 // https://iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/ 395 // If you are using temporary security credentials provided by AWS, you 396 // must also include the header `x-amz-security-token`, with the value 397 // set to the session token. The following example shows a 398 // `GetCallerIdentity` token: ``` { "headers": [ {"key": "x-amz-date", 399 // "value": "20200815T015049Z"}, {"key": "Authorization", "value": 400 // "AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-dat 401 // e;x-goog-cloud-target-resource,+Signature=$signature"}, {"key": 402 // "x-goog-cloud-target-resource", "value": 403 // "//iam.googleapis.com/projects//locations/global/workloadIdentityPools 404 // //providers/"}, {"key": "host", "value": "sts.amazonaws.com"} . ], 405 // "method": "POST", "url": 406 // "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15 407 // " } ``` You can also use a Google-issued OAuth 2.0 access token with 408 // this field to obtain an access token with new security attributes 409 // applied, such as a Credential Access Boundary. In this case, set 410 // `subject_token_type` to 411 // `urn:ietf:params:oauth:token-type:access_token`. If an access token 412 // already contains security attributes, you cannot apply additional 413 // security attributes. 414 SubjectToken string `json:"subjectToken,omitempty"` 415 416 // SubjectTokenType: Required. An identifier that indicates the type of 417 // the security token in the `subject_token` parameter. Supported values 418 // are `urn:ietf:params:oauth:token-type:jwt`, 419 // `urn:ietf:params:oauth:token-type:id_token`, 420 // `urn:ietf:params:aws:token-type:aws4_request`, and 421 // `urn:ietf:params:oauth:token-type:access_token`. 422 SubjectTokenType string `json:"subjectTokenType,omitempty"` 423 424 // ForceSendFields is a list of field names (e.g. "Audience") to 425 // unconditionally include in API requests. By default, fields with 426 // empty or default values are omitted from API requests. However, any 427 // non-pointer, non-interface field appearing in ForceSendFields will be 428 // sent to the server regardless of whether the field is empty or not. 429 // This may be used to include empty fields in Patch requests. 430 ForceSendFields []string `json:"-"` 431 432 // NullFields is a list of field names (e.g. "Audience") to include in 433 // API requests with the JSON null value. By default, fields with empty 434 // values are omitted from API requests. However, any field with an 435 // empty value appearing in NullFields will be sent to the server as 436 // null. It is an error if a field in this list has a non-empty value. 437 // This may be used to include null fields in Patch requests. 438 NullFields []string `json:"-"` 439} 440 441func (s *GoogleIdentityStsV1ExchangeTokenRequest) MarshalJSON() ([]byte, error) { 442 type NoMethod GoogleIdentityStsV1ExchangeTokenRequest 443 raw := NoMethod(*s) 444 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 445} 446 447// GoogleIdentityStsV1ExchangeTokenResponse: Response message for 448// ExchangeToken. 449type GoogleIdentityStsV1ExchangeTokenResponse struct { 450 // AccessToken: An OAuth 2.0 security token, issued by Google, in 451 // response to the token exchange request. Tokens can vary in size, 452 // depending in part on the size of mapped claims, up to a maximum of 453 // 12288 bytes (12 KB). Google reserves the right to change the token 454 // size and the maximum length at any time. 455 AccessToken string `json:"access_token,omitempty"` 456 457 // ExpiresIn: The amount of time, in seconds, between the time when the 458 // access token was issued and the time when the access token will 459 // expire. This field is absent when the `subject_token` in the request 460 // is a Google-issued, short-lived access token. In this case, the 461 // access token has the same expiration time as the `subject_token`. 462 ExpiresIn int64 `json:"expires_in,omitempty"` 463 464 // IssuedTokenType: The token type. Always matches the value of 465 // `requested_token_type` from the request. 466 IssuedTokenType string `json:"issued_token_type,omitempty"` 467 468 // TokenType: The type of access token. Always has the value `Bearer`. 469 TokenType string `json:"token_type,omitempty"` 470 471 // ServerResponse contains the HTTP response code and headers from the 472 // server. 473 googleapi.ServerResponse `json:"-"` 474 475 // ForceSendFields is a list of field names (e.g. "AccessToken") to 476 // unconditionally include in API requests. By default, fields with 477 // empty or default values are omitted from API requests. However, any 478 // non-pointer, non-interface field appearing in ForceSendFields will be 479 // sent to the server regardless of whether the field is empty or not. 480 // This may be used to include empty fields in Patch requests. 481 ForceSendFields []string `json:"-"` 482 483 // NullFields is a list of field names (e.g. "AccessToken") to include 484 // in API requests with the JSON null value. By default, fields with 485 // empty values are omitted from API requests. However, any field with 486 // an empty value appearing in NullFields will be sent to the server as 487 // null. It is an error if a field in this list has a non-empty value. 488 // This may be used to include null fields in Patch requests. 489 NullFields []string `json:"-"` 490} 491 492func (s *GoogleIdentityStsV1ExchangeTokenResponse) MarshalJSON() ([]byte, error) { 493 type NoMethod GoogleIdentityStsV1ExchangeTokenResponse 494 raw := NoMethod(*s) 495 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 496} 497 498// GoogleIdentityStsV1Options: An `Options` object configures features 499// that the Security Token Service supports, but that are not supported 500// by standard OAuth 2.0 token exchange endpoints, as defined in 501// https://tools.ietf.org/html/rfc8693. 502type GoogleIdentityStsV1Options struct { 503 // AccessBoundary: An access boundary that defines the upper bound of 504 // permissions the credential may have. The value should be a JSON 505 // object of AccessBoundary. The access boundary can include up to 10 506 // rules. The size of the parameter value should not exceed 2048 507 // characters. 508 AccessBoundary *GoogleIdentityStsV1AccessBoundary `json:"accessBoundary,omitempty"` 509 510 // Audiences: The intended audience(s) of the credential. The audience 511 // value(s) should be the name(s) of services intended to receive the 512 // credential. Example: `["https://pubsub.googleapis.com/", 513 // "https://storage.googleapis.com/"]`. A maximum of 5 audiences can be 514 // included. For each provided audience, the maximum length is 262 515 // characters. 516 Audiences []string `json:"audiences,omitempty"` 517 518 // UserProject: A Google project used for quota and billing purposes 519 // when the credential is used to access Google APIs. The provided 520 // project overrides the project bound to the credential. The value must 521 // be a project number or a project ID. Example: 522 // `my-sample-project-191923`. The maximum length is 32 characters. 523 UserProject string `json:"userProject,omitempty"` 524 525 // ForceSendFields is a list of field names (e.g. "AccessBoundary") to 526 // unconditionally include in API requests. By default, fields with 527 // empty or default values are omitted from API requests. However, any 528 // non-pointer, non-interface field appearing in ForceSendFields will be 529 // sent to the server regardless of whether the field is empty or not. 530 // This may be used to include empty fields in Patch requests. 531 ForceSendFields []string `json:"-"` 532 533 // NullFields is a list of field names (e.g. "AccessBoundary") to 534 // include in API requests with the JSON null value. By default, fields 535 // with empty values are omitted from API requests. However, any field 536 // with an empty value appearing in NullFields will be sent to the 537 // server as null. It is an error if a field in this list has a 538 // non-empty value. This may be used to include null fields in Patch 539 // requests. 540 NullFields []string `json:"-"` 541} 542 543func (s *GoogleIdentityStsV1Options) MarshalJSON() ([]byte, error) { 544 type NoMethod GoogleIdentityStsV1Options 545 raw := NoMethod(*s) 546 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 547} 548 549// GoogleIdentityStsV1betaAccessBoundary: An access boundary defines the 550// upper bound of what a principal may access. It includes a list of 551// access boundary rules that each defines the resource that may be 552// allowed as well as permissions that may be used on those resources. 553type GoogleIdentityStsV1betaAccessBoundary struct { 554 // AccessBoundaryRules: A list of access boundary rules which defines 555 // the upper bound of the permission a principal may carry. If multiple 556 // rules are specified, the effective access boundary is the union of 557 // all the access boundary rules attached. One access boundary can 558 // contain at most 10 rules. 559 AccessBoundaryRules []*GoogleIdentityStsV1betaAccessBoundaryRule `json:"accessBoundaryRules,omitempty"` 560 561 // ForceSendFields is a list of field names (e.g. "AccessBoundaryRules") 562 // to unconditionally include in API requests. By default, fields with 563 // empty or default values are omitted from API requests. However, any 564 // non-pointer, non-interface field appearing in ForceSendFields will be 565 // sent to the server regardless of whether the field is empty or not. 566 // This may be used to include empty fields in Patch requests. 567 ForceSendFields []string `json:"-"` 568 569 // NullFields is a list of field names (e.g. "AccessBoundaryRules") to 570 // include in API requests with the JSON null value. By default, fields 571 // with empty values are omitted from API requests. However, any field 572 // with an empty value appearing in NullFields will be sent to the 573 // server as null. It is an error if a field in this list has a 574 // non-empty value. This may be used to include null fields in Patch 575 // requests. 576 NullFields []string `json:"-"` 577} 578 579func (s *GoogleIdentityStsV1betaAccessBoundary) MarshalJSON() ([]byte, error) { 580 type NoMethod GoogleIdentityStsV1betaAccessBoundary 581 raw := NoMethod(*s) 582 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 583} 584 585// GoogleIdentityStsV1betaAccessBoundaryRule: An access boundary rule 586// defines an upper bound of IAM permissions on a single resource. 587type GoogleIdentityStsV1betaAccessBoundaryRule struct { 588 // AvailabilityCondition: The availability condition further constrains 589 // the access allowed by the access boundary rule. If the condition 590 // evaluates to `true`, then this access boundary rule will provide 591 // access to the specified resource, assuming the principal has the 592 // required permissions for the resource. If the condition does not 593 // evaluate to `true`, then access to the specified resource will not be 594 // available. Note that all access boundary rules in an access boundary 595 // are evaluated together as a union. As such, another access boundary 596 // rule may allow access to the resource, even if this access boundary 597 // rule does not allow access. To learn which resources support 598 // conditions in their IAM policies, see the IAM documentation 599 // (https://cloud.google.com/iam/help/conditions/resource-policies). The 600 // maximum length of the `expression` field is 2048 characters. 601 AvailabilityCondition *GoogleTypeExpr `json:"availabilityCondition,omitempty"` 602 603 // AvailablePermissions: A list of permissions that may be allowed for 604 // use on the specified resource. The only supported values in the list 605 // are IAM roles, following the format of google.iam.v1.Binding.role. 606 // Example value: `inRole:roles/logging.viewer` for predefined roles and 607 // `inRole:organizations/{ORGANIZATION_ID}/roles/logging.viewer` for 608 // custom roles. 609 AvailablePermissions []string `json:"availablePermissions,omitempty"` 610 611 // AvailableResource: The full resource name of a Google Cloud resource 612 // entity. The format definition is at 613 // https://cloud.google.com/apis/design/resource_names. Example value: 614 // `//cloudresourcemanager.googleapis.com/projects/my-project`. 615 AvailableResource string `json:"availableResource,omitempty"` 616 617 // ForceSendFields is a list of field names (e.g. 618 // "AvailabilityCondition") to unconditionally include in API requests. 619 // By default, fields with empty or default values are omitted from API 620 // requests. However, any non-pointer, non-interface field appearing in 621 // ForceSendFields will be sent to the server regardless of whether the 622 // field is empty or not. This may be used to include empty fields in 623 // Patch requests. 624 ForceSendFields []string `json:"-"` 625 626 // NullFields is a list of field names (e.g. "AvailabilityCondition") to 627 // include in API requests with the JSON null value. By default, fields 628 // with empty values are omitted from API requests. However, any field 629 // with an empty value appearing in NullFields will be sent to the 630 // server as null. It is an error if a field in this list has a 631 // non-empty value. This may be used to include null fields in Patch 632 // requests. 633 NullFields []string `json:"-"` 634} 635 636func (s *GoogleIdentityStsV1betaAccessBoundaryRule) MarshalJSON() ([]byte, error) { 637 type NoMethod GoogleIdentityStsV1betaAccessBoundaryRule 638 raw := NoMethod(*s) 639 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 640} 641 642// GoogleIdentityStsV1betaOptions: An `Options` object configures 643// features that the Security Token Service supports, but that are not 644// supported by standard OAuth 2.0 token exchange endpoints, as defined 645// in https://tools.ietf.org/html/rfc8693. 646type GoogleIdentityStsV1betaOptions struct { 647 // AccessBoundary: An access boundary that defines the upper bound of 648 // permissions the credential may have. The value should be a JSON 649 // object of AccessBoundary. The access boundary can include up to 10 650 // rules. The size of the parameter value should not exceed 2048 651 // characters. 652 AccessBoundary *GoogleIdentityStsV1betaAccessBoundary `json:"accessBoundary,omitempty"` 653 654 // Audiences: The intended audience(s) of the credential. The audience 655 // value(s) should be the name(s) of services intended to receive the 656 // credential. Example: `["https://pubsub.googleapis.com/", 657 // "https://storage.googleapis.com/"]`. A maximum of 5 audiences can be 658 // included. For each provided audience, the maximum length is 262 659 // characters. 660 Audiences []string `json:"audiences,omitempty"` 661 662 // UserProject: A Google project used for quota and billing purposes 663 // when the credential is used to access Google APIs. The provided 664 // project overrides the project bound to the credential. The value must 665 // be a project number or a project ID. Example: 666 // `my-sample-project-191923`. The maximum length is 32 characters. 667 UserProject string `json:"userProject,omitempty"` 668 669 // ForceSendFields is a list of field names (e.g. "AccessBoundary") to 670 // unconditionally include in API requests. By default, fields with 671 // empty or default values are omitted from API requests. However, any 672 // non-pointer, non-interface field appearing in ForceSendFields will be 673 // sent to the server regardless of whether the field is empty or not. 674 // This may be used to include empty fields in Patch requests. 675 ForceSendFields []string `json:"-"` 676 677 // NullFields is a list of field names (e.g. "AccessBoundary") to 678 // include in API requests with the JSON null value. By default, fields 679 // with empty values are omitted from API requests. However, any field 680 // with an empty value appearing in NullFields will be sent to the 681 // server as null. It is an error if a field in this list has a 682 // non-empty value. This may be used to include null fields in Patch 683 // requests. 684 NullFields []string `json:"-"` 685} 686 687func (s *GoogleIdentityStsV1betaOptions) MarshalJSON() ([]byte, error) { 688 type NoMethod GoogleIdentityStsV1betaOptions 689 raw := NoMethod(*s) 690 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 691} 692 693// GoogleTypeExpr: Represents a textual expression in the Common 694// Expression Language (CEL) syntax. CEL is a C-like expression 695// language. The syntax and semantics of CEL are documented at 696// https://github.com/google/cel-spec. Example (Comparison): title: 697// "Summary size limit" description: "Determines if a summary is less 698// than 100 chars" expression: "document.summary.size() < 100" Example 699// (Equality): title: "Requestor is owner" description: "Determines if 700// requestor is the document owner" expression: "document.owner == 701// request.auth.claims.email" Example (Logic): title: "Public documents" 702// description: "Determine whether the document should be publicly 703// visible" expression: "document.type != 'private' && document.type != 704// 'internal'" Example (Data Manipulation): title: "Notification string" 705// description: "Create a notification string with a timestamp." 706// expression: "'New message received at ' + 707// string(document.create_time)" The exact variables and functions that 708// may be referenced within an expression are determined by the service 709// that evaluates it. See the service documentation for additional 710// information. 711type GoogleTypeExpr struct { 712 // Description: Optional. Description of the expression. This is a 713 // longer text which describes the expression, e.g. when hovered over it 714 // in a UI. 715 Description string `json:"description,omitempty"` 716 717 // Expression: Textual representation of an expression in Common 718 // Expression Language syntax. 719 Expression string `json:"expression,omitempty"` 720 721 // Location: Optional. String indicating the location of the expression 722 // for error reporting, e.g. a file name and a position in the file. 723 Location string `json:"location,omitempty"` 724 725 // Title: Optional. Title for the expression, i.e. a short string 726 // describing its purpose. This can be used e.g. in UIs which allow to 727 // enter the expression. 728 Title string `json:"title,omitempty"` 729 730 // ForceSendFields is a list of field names (e.g. "Description") to 731 // unconditionally include in API requests. By default, fields with 732 // empty or default values are omitted from API requests. However, any 733 // non-pointer, non-interface field appearing in ForceSendFields will be 734 // sent to the server regardless of whether the field is empty or not. 735 // This may be used to include empty fields in Patch requests. 736 ForceSendFields []string `json:"-"` 737 738 // NullFields is a list of field names (e.g. "Description") to include 739 // in API requests with the JSON null value. By default, fields with 740 // empty values are omitted from API requests. However, any field with 741 // an empty value appearing in NullFields will be sent to the server as 742 // null. It is an error if a field in this list has a non-empty value. 743 // This may be used to include null fields in Patch requests. 744 NullFields []string `json:"-"` 745} 746 747func (s *GoogleTypeExpr) MarshalJSON() ([]byte, error) { 748 type NoMethod GoogleTypeExpr 749 raw := NoMethod(*s) 750 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 751} 752 753// method id "sts.token": 754 755type V1TokenCall struct { 756 s *Service 757 googleidentitystsv1exchangetokenrequest *GoogleIdentityStsV1ExchangeTokenRequest 758 urlParams_ gensupport.URLParams 759 ctx_ context.Context 760 header_ http.Header 761} 762 763// Token: Exchanges a credential for a Google OAuth 2.0 access token. 764// The token asserts an external identity within a workload identity 765// pool, or it applies a Credential Access Boundary to a Google access 766// token. When you call this method, do not send the `Authorization` 767// HTTP header in the request. This method does not require the 768// `Authorization` header, and using the header can cause the request to 769// fail. 770func (r *V1Service) Token(googleidentitystsv1exchangetokenrequest *GoogleIdentityStsV1ExchangeTokenRequest) *V1TokenCall { 771 c := &V1TokenCall{s: r.s, urlParams_: make(gensupport.URLParams)} 772 c.googleidentitystsv1exchangetokenrequest = googleidentitystsv1exchangetokenrequest 773 return c 774} 775 776// Fields allows partial responses to be retrieved. See 777// https://developers.google.com/gdata/docs/2.0/basics#PartialResponse 778// for more information. 779func (c *V1TokenCall) Fields(s ...googleapi.Field) *V1TokenCall { 780 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 781 return c 782} 783 784// Context sets the context to be used in this call's Do method. Any 785// pending HTTP request will be aborted if the provided context is 786// canceled. 787func (c *V1TokenCall) Context(ctx context.Context) *V1TokenCall { 788 c.ctx_ = ctx 789 return c 790} 791 792// Header returns an http.Header that can be modified by the caller to 793// add HTTP headers to the request. 794func (c *V1TokenCall) Header() http.Header { 795 if c.header_ == nil { 796 c.header_ = make(http.Header) 797 } 798 return c.header_ 799} 800 801func (c *V1TokenCall) doRequest(alt string) (*http.Response, error) { 802 reqHeaders := make(http.Header) 803 reqHeaders.Set("x-goog-api-client", "gl-go/"+gensupport.GoVersion()+" gdcl/20210915") 804 for k, v := range c.header_ { 805 reqHeaders[k] = v 806 } 807 reqHeaders.Set("User-Agent", c.s.userAgent()) 808 var body io.Reader = nil 809 body, err := googleapi.WithoutDataWrapper.JSONReader(c.googleidentitystsv1exchangetokenrequest) 810 if err != nil { 811 return nil, err 812 } 813 reqHeaders.Set("Content-Type", "application/json") 814 c.urlParams_.Set("alt", alt) 815 c.urlParams_.Set("prettyPrint", "false") 816 urls := googleapi.ResolveRelative(c.s.BasePath, "v1/token") 817 urls += "?" + c.urlParams_.Encode() 818 req, err := http.NewRequest("POST", urls, body) 819 if err != nil { 820 return nil, err 821 } 822 req.Header = reqHeaders 823 return gensupport.SendRequest(c.ctx_, c.s.client, req) 824} 825 826// Do executes the "sts.token" call. 827// Exactly one of *GoogleIdentityStsV1ExchangeTokenResponse or error 828// will be non-nil. Any non-2xx status code is an error. Response 829// headers are in either 830// *GoogleIdentityStsV1ExchangeTokenResponse.ServerResponse.Header or 831// (if a response was returned at all) in 832// error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 833// whether the returned error was because http.StatusNotModified was 834// returned. 835func (c *V1TokenCall) Do(opts ...googleapi.CallOption) (*GoogleIdentityStsV1ExchangeTokenResponse, error) { 836 gensupport.SetOptions(c.urlParams_, opts...) 837 res, err := c.doRequest("json") 838 if res != nil && res.StatusCode == http.StatusNotModified { 839 if res.Body != nil { 840 res.Body.Close() 841 } 842 return nil, &googleapi.Error{ 843 Code: res.StatusCode, 844 Header: res.Header, 845 } 846 } 847 if err != nil { 848 return nil, err 849 } 850 defer googleapi.CloseBody(res) 851 if err := googleapi.CheckResponse(res); err != nil { 852 return nil, err 853 } 854 ret := &GoogleIdentityStsV1ExchangeTokenResponse{ 855 ServerResponse: googleapi.ServerResponse{ 856 Header: res.Header, 857 HTTPStatusCode: res.StatusCode, 858 }, 859 } 860 target := &ret 861 if err := gensupport.DecodeResponse(target, res); err != nil { 862 return nil, err 863 } 864 return ret, nil 865 // { 866 // "description": "Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a Google access token. When you call this method, do not send the `Authorization` HTTP header in the request. This method does not require the `Authorization` header, and using the header can cause the request to fail.", 867 // "flatPath": "v1/token", 868 // "httpMethod": "POST", 869 // "id": "sts.token", 870 // "parameterOrder": [], 871 // "parameters": {}, 872 // "path": "v1/token", 873 // "request": { 874 // "$ref": "GoogleIdentityStsV1ExchangeTokenRequest" 875 // }, 876 // "response": { 877 // "$ref": "GoogleIdentityStsV1ExchangeTokenResponse" 878 // } 879 // } 880 881} 882