1// Copyright 2021 Google LLC. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5// Code generated file. DO NOT EDIT. 6 7// Package sts provides access to the Security Token Service API. 8// 9// For product documentation, see: http://cloud.google.com/iam/docs/workload-identity-federation 10// 11// Creating a client 12// 13// Usage example: 14// 15// import "google.golang.org/api/sts/v1beta" 16// ... 17// ctx := context.Background() 18// stsService, err := sts.NewService(ctx) 19// 20// In this example, Google Application Default Credentials are used for authentication. 21// 22// For information on how to create and obtain Application Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials. 23// 24// Other authentication options 25// 26// To use an API key for authentication (note: some APIs do not support API keys), use option.WithAPIKey: 27// 28// stsService, err := sts.NewService(ctx, option.WithAPIKey("AIza...")) 29// 30// To use an OAuth token (e.g., a user token obtained via a three-legged OAuth flow), use option.WithTokenSource: 31// 32// config := &oauth2.Config{...} 33// // ... 34// token, err := config.Exchange(ctx, ...) 35// stsService, err := sts.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token))) 36// 37// See https://godoc.org/google.golang.org/api/option/ for details on options. 38package sts // import "google.golang.org/api/sts/v1beta" 39 40import ( 41 "bytes" 42 "context" 43 "encoding/json" 44 "errors" 45 "fmt" 46 "io" 47 "net/http" 48 "net/url" 49 "strconv" 50 "strings" 51 52 googleapi "google.golang.org/api/googleapi" 53 gensupport "google.golang.org/api/internal/gensupport" 54 option "google.golang.org/api/option" 55 internaloption "google.golang.org/api/option/internaloption" 56 htransport "google.golang.org/api/transport/http" 57) 58 59// Always reference these packages, just in case the auto-generated code 60// below doesn't. 61var _ = bytes.NewBuffer 62var _ = strconv.Itoa 63var _ = fmt.Sprintf 64var _ = json.NewDecoder 65var _ = io.Copy 66var _ = url.Parse 67var _ = gensupport.MarshalJSON 68var _ = googleapi.Version 69var _ = errors.New 70var _ = strings.Replace 71var _ = context.Canceled 72var _ = internaloption.WithDefaultEndpoint 73 74const apiId = "sts:v1beta" 75const apiName = "sts" 76const apiVersion = "v1beta" 77const basePath = "https://sts.googleapis.com/" 78const mtlsBasePath = "https://sts.mtls.googleapis.com/" 79 80// NewService creates a new Service. 81func NewService(ctx context.Context, opts ...option.ClientOption) (*Service, error) { 82 opts = append(opts, internaloption.WithDefaultEndpoint(basePath)) 83 opts = append(opts, internaloption.WithDefaultMTLSEndpoint(mtlsBasePath)) 84 client, endpoint, err := htransport.NewClient(ctx, opts...) 85 if err != nil { 86 return nil, err 87 } 88 s, err := New(client) 89 if err != nil { 90 return nil, err 91 } 92 if endpoint != "" { 93 s.BasePath = endpoint 94 } 95 return s, nil 96} 97 98// New creates a new Service. It uses the provided http.Client for requests. 99// 100// Deprecated: please use NewService instead. 101// To provide a custom HTTP client, use option.WithHTTPClient. 102// If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead. 103func New(client *http.Client) (*Service, error) { 104 if client == nil { 105 return nil, errors.New("client is nil") 106 } 107 s := &Service{client: client, BasePath: basePath} 108 s.V1beta = NewV1betaService(s) 109 return s, nil 110} 111 112type Service struct { 113 client *http.Client 114 BasePath string // API endpoint base URL 115 UserAgent string // optional additional User-Agent fragment 116 117 V1beta *V1betaService 118} 119 120func (s *Service) userAgent() string { 121 if s.UserAgent == "" { 122 return googleapi.UserAgent 123 } 124 return googleapi.UserAgent + " " + s.UserAgent 125} 126 127func NewV1betaService(s *Service) *V1betaService { 128 rs := &V1betaService{s: s} 129 return rs 130} 131 132type V1betaService struct { 133 s *Service 134} 135 136// GoogleIamV1Binding: Associates `members`, or principals, with a 137// `role`. 138type GoogleIamV1Binding struct { 139 // Condition: The condition that is associated with this binding. If the 140 // condition evaluates to `true`, then this binding applies to the 141 // current request. If the condition evaluates to `false`, then this 142 // binding does not apply to the current request. However, a different 143 // role binding might grant the same role to one or more of the 144 // principals in this binding. To learn which resources support 145 // conditions in their IAM policies, see the IAM documentation 146 // (https://cloud.google.com/iam/help/conditions/resource-policies). 147 Condition *GoogleTypeExpr `json:"condition,omitempty"` 148 149 // Members: Specifies the principals requesting access for a Cloud 150 // Platform resource. `members` can have the following values: * 151 // `allUsers`: A special identifier that represents anyone who is on the 152 // internet; with or without a Google account. * 153 // `allAuthenticatedUsers`: A special identifier that represents anyone 154 // who is authenticated with a Google account or a service account. * 155 // `user:{emailid}`: An email address that represents a specific Google 156 // account. For example, `alice@example.com` . * 157 // `serviceAccount:{emailid}`: An email address that represents a 158 // service account. For example, 159 // `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An 160 // email address that represents a Google group. For example, 161 // `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An 162 // email address (plus unique identifier) representing a user that has 163 // been recently deleted. For example, 164 // `alice@example.com?uid=123456789012345678901`. If the user is 165 // recovered, this value reverts to `user:{emailid}` and the recovered 166 // user retains the role in the binding. * 167 // `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address 168 // (plus unique identifier) representing a service account that has been 169 // recently deleted. For example, 170 // `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. 171 // If the service account is undeleted, this value reverts to 172 // `serviceAccount:{emailid}` and the undeleted service account retains 173 // the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: 174 // An email address (plus unique identifier) representing a Google group 175 // that has been recently deleted. For example, 176 // `admins@example.com?uid=123456789012345678901`. If the group is 177 // recovered, this value reverts to `group:{emailid}` and the recovered 178 // group retains the role in the binding. * `domain:{domain}`: The G 179 // Suite domain (primary) that represents all the users of that domain. 180 // For example, `google.com` or `example.com`. 181 Members []string `json:"members,omitempty"` 182 183 // Role: Role that is assigned to the list of `members`, or principals. 184 // For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 185 Role string `json:"role,omitempty"` 186 187 // ForceSendFields is a list of field names (e.g. "Condition") to 188 // unconditionally include in API requests. By default, fields with 189 // empty or default values are omitted from API requests. However, any 190 // non-pointer, non-interface field appearing in ForceSendFields will be 191 // sent to the server regardless of whether the field is empty or not. 192 // This may be used to include empty fields in Patch requests. 193 ForceSendFields []string `json:"-"` 194 195 // NullFields is a list of field names (e.g. "Condition") to include in 196 // API requests with the JSON null value. By default, fields with empty 197 // values are omitted from API requests. However, any field with an 198 // empty value appearing in NullFields will be sent to the server as 199 // null. It is an error if a field in this list has a non-empty value. 200 // This may be used to include null fields in Patch requests. 201 NullFields []string `json:"-"` 202} 203 204func (s *GoogleIamV1Binding) MarshalJSON() ([]byte, error) { 205 type NoMethod GoogleIamV1Binding 206 raw := NoMethod(*s) 207 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 208} 209 210// GoogleIdentityStsV1AccessBoundary: An access boundary defines the 211// upper bound of what a principal may access. It includes a list of 212// access boundary rules that each defines the resource that may be 213// allowed as well as permissions that may be used on those resources. 214type GoogleIdentityStsV1AccessBoundary struct { 215 // AccessBoundaryRules: A list of access boundary rules which defines 216 // the upper bound of the permission a principal may carry. If multiple 217 // rules are specified, the effective access boundary is the union of 218 // all the access boundary rules attached. One access boundary can 219 // contain at most 10 rules. 220 AccessBoundaryRules []*GoogleIdentityStsV1AccessBoundaryRule `json:"accessBoundaryRules,omitempty"` 221 222 // ForceSendFields is a list of field names (e.g. "AccessBoundaryRules") 223 // to unconditionally include in API requests. By default, fields with 224 // empty or default values are omitted from API requests. However, any 225 // non-pointer, non-interface field appearing in ForceSendFields will be 226 // sent to the server regardless of whether the field is empty or not. 227 // This may be used to include empty fields in Patch requests. 228 ForceSendFields []string `json:"-"` 229 230 // NullFields is a list of field names (e.g. "AccessBoundaryRules") to 231 // include in API requests with the JSON null value. By default, fields 232 // with empty values are omitted from API requests. However, any field 233 // with an empty value appearing in NullFields will be sent to the 234 // server as null. It is an error if a field in this list has a 235 // non-empty value. This may be used to include null fields in Patch 236 // requests. 237 NullFields []string `json:"-"` 238} 239 240func (s *GoogleIdentityStsV1AccessBoundary) MarshalJSON() ([]byte, error) { 241 type NoMethod GoogleIdentityStsV1AccessBoundary 242 raw := NoMethod(*s) 243 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 244} 245 246// GoogleIdentityStsV1AccessBoundaryRule: An access boundary rule 247// defines an upper bound of IAM permissions on a single resource. 248type GoogleIdentityStsV1AccessBoundaryRule struct { 249 // AvailabilityCondition: The availability condition further constrains 250 // the access allowed by the access boundary rule. If the condition 251 // evaluates to `true`, then this access boundary rule will provide 252 // access to the specified resource, assuming the principal has the 253 // required permissions for the resource. If the condition does not 254 // evaluate to `true`, then access to the specified resource will not be 255 // available. Note that all access boundary rules in an access boundary 256 // are evaluated together as a union. As such, another access boundary 257 // rule may allow access to the resource, even if this access boundary 258 // rule does not allow access. To learn which resources support 259 // conditions in their IAM policies, see the IAM documentation 260 // (https://cloud.google.com/iam/help/conditions/resource-policies). The 261 // maximum length of the `expression` field is 2048 characters. 262 AvailabilityCondition *GoogleTypeExpr `json:"availabilityCondition,omitempty"` 263 264 // AvailablePermissions: A list of permissions that may be allowed for 265 // use on the specified resource. The only supported values in the list 266 // are IAM roles, following the format of google.iam.v1.Binding.role. 267 // Example value: `inRole:roles/logging.viewer` for predefined roles and 268 // `inRole:organizations/{ORGANIZATION_ID}/roles/logging.viewer` for 269 // custom roles. 270 AvailablePermissions []string `json:"availablePermissions,omitempty"` 271 272 // AvailableResource: The full resource name of a Google Cloud resource 273 // entity. The format definition is at 274 // https://cloud.google.com/apis/design/resource_names. Example value: 275 // `//cloudresourcemanager.googleapis.com/projects/my-project`. 276 AvailableResource string `json:"availableResource,omitempty"` 277 278 // ForceSendFields is a list of field names (e.g. 279 // "AvailabilityCondition") to unconditionally include in API requests. 280 // By default, fields with empty or default values are omitted from API 281 // requests. However, any non-pointer, non-interface field appearing in 282 // ForceSendFields will be sent to the server regardless of whether the 283 // field is empty or not. This may be used to include empty fields in 284 // Patch requests. 285 ForceSendFields []string `json:"-"` 286 287 // NullFields is a list of field names (e.g. "AvailabilityCondition") to 288 // include in API requests with the JSON null value. By default, fields 289 // with empty values are omitted from API requests. However, any field 290 // with an empty value appearing in NullFields will be sent to the 291 // server as null. It is an error if a field in this list has a 292 // non-empty value. This may be used to include null fields in Patch 293 // requests. 294 NullFields []string `json:"-"` 295} 296 297func (s *GoogleIdentityStsV1AccessBoundaryRule) MarshalJSON() ([]byte, error) { 298 type NoMethod GoogleIdentityStsV1AccessBoundaryRule 299 raw := NoMethod(*s) 300 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 301} 302 303// GoogleIdentityStsV1Options: An `Options` object configures features 304// that the Security Token Service supports, but that are not supported 305// by standard OAuth 2.0 token exchange endpoints, as defined in 306// https://tools.ietf.org/html/rfc8693. 307type GoogleIdentityStsV1Options struct { 308 // AccessBoundary: An access boundary that defines the upper bound of 309 // permissions the credential may have. The value should be a JSON 310 // object of AccessBoundary. The access boundary can include up to 10 311 // rules. The size of the parameter value should not exceed 2048 312 // characters. 313 AccessBoundary *GoogleIdentityStsV1AccessBoundary `json:"accessBoundary,omitempty"` 314 315 // Audiences: The intended audience(s) of the credential. The audience 316 // value(s) should be the name(s) of services intended to receive the 317 // credential. Example: `["https://pubsub.googleapis.com/", 318 // "https://storage.googleapis.com/"]`. A maximum of 5 audiences can be 319 // included. For each provided audience, the maximum length is 262 320 // characters. 321 Audiences []string `json:"audiences,omitempty"` 322 323 // UserProject: A Google project used for quota and billing purposes 324 // when the credential is used to access Google APIs. The provided 325 // project overrides the project bound to the credential. The value must 326 // be a project number or a project ID. Example: 327 // `my-sample-project-191923`. The maximum length is 32 characters. 328 UserProject string `json:"userProject,omitempty"` 329 330 // ForceSendFields is a list of field names (e.g. "AccessBoundary") to 331 // unconditionally include in API requests. By default, fields with 332 // empty or default values are omitted from API requests. However, any 333 // non-pointer, non-interface field appearing in ForceSendFields will be 334 // sent to the server regardless of whether the field is empty or not. 335 // This may be used to include empty fields in Patch requests. 336 ForceSendFields []string `json:"-"` 337 338 // NullFields is a list of field names (e.g. "AccessBoundary") to 339 // include in API requests with the JSON null value. By default, fields 340 // with empty values are omitted from API requests. However, any field 341 // with an empty value appearing in NullFields will be sent to the 342 // server as null. It is an error if a field in this list has a 343 // non-empty value. This may be used to include null fields in Patch 344 // requests. 345 NullFields []string `json:"-"` 346} 347 348func (s *GoogleIdentityStsV1Options) MarshalJSON() ([]byte, error) { 349 type NoMethod GoogleIdentityStsV1Options 350 raw := NoMethod(*s) 351 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 352} 353 354// GoogleIdentityStsV1betaAccessBoundary: An access boundary defines the 355// upper bound of what a principal may access. It includes a list of 356// access boundary rules that each defines the resource that may be 357// allowed as well as permissions that may be used on those resources. 358type GoogleIdentityStsV1betaAccessBoundary struct { 359 // AccessBoundaryRules: A list of access boundary rules which defines 360 // the upper bound of the permission a principal may carry. If multiple 361 // rules are specified, the effective access boundary is the union of 362 // all the access boundary rules attached. One access boundary can 363 // contain at most 10 rules. 364 AccessBoundaryRules []*GoogleIdentityStsV1betaAccessBoundaryRule `json:"accessBoundaryRules,omitempty"` 365 366 // ForceSendFields is a list of field names (e.g. "AccessBoundaryRules") 367 // to unconditionally include in API requests. By default, fields with 368 // empty or default values are omitted from API requests. However, any 369 // non-pointer, non-interface field appearing in ForceSendFields will be 370 // sent to the server regardless of whether the field is empty or not. 371 // This may be used to include empty fields in Patch requests. 372 ForceSendFields []string `json:"-"` 373 374 // NullFields is a list of field names (e.g. "AccessBoundaryRules") to 375 // include in API requests with the JSON null value. By default, fields 376 // with empty values are omitted from API requests. However, any field 377 // with an empty value appearing in NullFields will be sent to the 378 // server as null. It is an error if a field in this list has a 379 // non-empty value. This may be used to include null fields in Patch 380 // requests. 381 NullFields []string `json:"-"` 382} 383 384func (s *GoogleIdentityStsV1betaAccessBoundary) MarshalJSON() ([]byte, error) { 385 type NoMethod GoogleIdentityStsV1betaAccessBoundary 386 raw := NoMethod(*s) 387 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 388} 389 390// GoogleIdentityStsV1betaAccessBoundaryRule: An access boundary rule 391// defines an upper bound of IAM permissions on a single resource. 392type GoogleIdentityStsV1betaAccessBoundaryRule struct { 393 // AvailabilityCondition: The availability condition further constrains 394 // the access allowed by the access boundary rule. If the condition 395 // evaluates to `true`, then this access boundary rule will provide 396 // access to the specified resource, assuming the principal has the 397 // required permissions for the resource. If the condition does not 398 // evaluate to `true`, then access to the specified resource will not be 399 // available. Note that all access boundary rules in an access boundary 400 // are evaluated together as a union. As such, another access boundary 401 // rule may allow access to the resource, even if this access boundary 402 // rule does not allow access. To learn which resources support 403 // conditions in their IAM policies, see the IAM documentation 404 // (https://cloud.google.com/iam/help/conditions/resource-policies). The 405 // maximum length of the `expression` field is 2048 characters. 406 AvailabilityCondition *GoogleTypeExpr `json:"availabilityCondition,omitempty"` 407 408 // AvailablePermissions: A list of permissions that may be allowed for 409 // use on the specified resource. The only supported values in the list 410 // are IAM roles, following the format of google.iam.v1.Binding.role. 411 // Example value: `inRole:roles/logging.viewer` for predefined roles and 412 // `inRole:organizations/{ORGANIZATION_ID}/roles/logging.viewer` for 413 // custom roles. 414 AvailablePermissions []string `json:"availablePermissions,omitempty"` 415 416 // AvailableResource: The full resource name of a Google Cloud resource 417 // entity. The format definition is at 418 // https://cloud.google.com/apis/design/resource_names. Example value: 419 // `//cloudresourcemanager.googleapis.com/projects/my-project`. 420 AvailableResource string `json:"availableResource,omitempty"` 421 422 // ForceSendFields is a list of field names (e.g. 423 // "AvailabilityCondition") to unconditionally include in API requests. 424 // By default, fields with empty or default values are omitted from API 425 // requests. However, any non-pointer, non-interface field appearing in 426 // ForceSendFields will be sent to the server regardless of whether the 427 // field is empty or not. This may be used to include empty fields in 428 // Patch requests. 429 ForceSendFields []string `json:"-"` 430 431 // NullFields is a list of field names (e.g. "AvailabilityCondition") to 432 // include in API requests with the JSON null value. By default, fields 433 // with empty values are omitted from API requests. However, any field 434 // with an empty value appearing in NullFields will be sent to the 435 // server as null. It is an error if a field in this list has a 436 // non-empty value. This may be used to include null fields in Patch 437 // requests. 438 NullFields []string `json:"-"` 439} 440 441func (s *GoogleIdentityStsV1betaAccessBoundaryRule) MarshalJSON() ([]byte, error) { 442 type NoMethod GoogleIdentityStsV1betaAccessBoundaryRule 443 raw := NoMethod(*s) 444 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 445} 446 447// GoogleIdentityStsV1betaExchangeTokenRequest: Request message for 448// ExchangeToken. 449type GoogleIdentityStsV1betaExchangeTokenRequest struct { 450 // Audience: The full resource name of the identity provider. For 451 // example, 452 // `//iam.googleapis.com/projects//locations/global/workloadIdentityPools 453 // //providers/`. Required when exchanging an external credential for a 454 // Google access token. 455 Audience string `json:"audience,omitempty"` 456 457 // GrantType: Required. The grant type. Must be 458 // `urn:ietf:params:oauth:grant-type:token-exchange`, which indicates a 459 // token exchange. 460 GrantType string `json:"grantType,omitempty"` 461 462 // Options: A set of features that Security Token Service supports, in 463 // addition to the standard OAuth 2.0 token exchange, formatted as a 464 // serialized JSON object of Options. 465 Options string `json:"options,omitempty"` 466 467 // RequestedTokenType: Required. The type of security token. Must be 468 // `urn:ietf:params:oauth:token-type:access_token`, which indicates an 469 // OAuth 2.0 access token. 470 RequestedTokenType string `json:"requestedTokenType,omitempty"` 471 472 // Scope: The OAuth 2.0 scopes to include on the resulting access token, 473 // formatted as a list of space-delimited, case-sensitive strings. 474 // Required when exchanging an external credential for a Google access 475 // token. 476 Scope string `json:"scope,omitempty"` 477 478 // SubjectToken: Required. The input token. This token is either an 479 // external credential issued by a workload identity pool provider, or a 480 // short-lived access token issued by Google. If the token is an OIDC 481 // JWT, it must use the JWT format defined in RFC 7523 482 // (https://tools.ietf.org/html/rfc7523), and the `subject_token_type` 483 // must be either `urn:ietf:params:oauth:token-type:jwt` or 484 // `urn:ietf:params:oauth:token-type:id_token`. The following headers 485 // are required: - `kid`: The identifier of the signing key securing the 486 // JWT. - `alg`: The cryptographic algorithm securing the JWT. Must be 487 // `RS256` or `ES256`. The following payload fields are required. For 488 // more information, see RFC 7523, Section 3 489 // (https://tools.ietf.org/html/rfc7523#section-3): - `iss`: The issuer 490 // of the token. The issuer must provide a discovery document at the URL 491 // `/.well-known/openid-configuration`, where `` is the value of this 492 // field. The document must be formatted according to section 4.2 of the 493 // OIDC 1.0 Discovery specification 494 // (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). 495 // - `iat`: The issue time, in seconds, since the Unix epoch. Must be in 496 // the past. - `exp`: The expiration time, in seconds, since the Unix 497 // epoch. Must be less than 48 hours after `iat`. Shorter expiration 498 // times are more secure. If possible, we recommend setting an 499 // expiration time less than 6 hours. - `sub`: The identity asserted in 500 // the JWT. - `aud`: For workload identity pools, this must be a value 501 // specified in the allowed audiences for the workload identity pool 502 // provider, or one of the audiences allowed by default if no audiences 503 // were specified. See 504 // https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers#oidc 505 // Example header: ``` { "alg": "RS256", "kid": "us-east-11" } ``` 506 // Example payload: ``` { "iss": "https://accounts.google.com", "iat": 507 // 1517963104, "exp": 1517966704, "aud": 508 // "//iam.googleapis.com/projects/1234567890123/locations/global/workload 509 // IdentityPools/my-pool/providers/my-provider", "sub": 510 // "113475438248934895348", "my_claims": { "additional_claim": "value" } 511 // } ``` If `subject_token` is for AWS, it must be a serialized 512 // `GetCallerIdentity` token. This token contains the same information 513 // as a request to the AWS `GetCallerIdentity()` 514 // (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity) 515 // method, as well as the AWS signature 516 // (https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) 517 // for the request information. Use Signature Version 4. Format the 518 // request as URL-encoded JSON, and set the `subject_token_type` 519 // parameter to `urn:ietf:params:aws:token-type:aws4_request`. The 520 // following parameters are required: - `url`: The URL of the AWS STS 521 // endpoint for `GetCallerIdentity()`, such as 522 // `https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15 523 // `. Regional endpoints are also supported. - `method`: The HTTP 524 // request method: `POST`. - `headers`: The HTTP request headers, which 525 // must include: - `Authorization`: The request signature. - 526 // `x-amz-date`: The time you will send the request, formatted as an 527 // ISO8601 Basic 528 // (https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#sigv4_elements_date) 529 // string. This value is typically set to the current time and is used 530 // to help prevent replay attacks. - `host`: The hostname of the `url` 531 // field; for example, `sts.amazonaws.com`. - 532 // `x-goog-cloud-target-resource`: The full, canonical resource name of 533 // the workload identity pool provider, with or without an `https:` 534 // prefix. To help ensure data integrity, we recommend including this 535 // header in the `SignedHeaders` field of the signed request. For 536 // example: 537 // //iam.googleapis.com/projects//locations/global/workloadIdentityPools/ 538 // /providers/ 539 // https://iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/ 540 // If you are using temporary security credentials provided by AWS, you 541 // must also include the header `x-amz-security-token`, with the value 542 // set to the session token. The following example shows a 543 // `GetCallerIdentity` token: ``` { "headers": [ {"key": "x-amz-date", 544 // "value": "20200815T015049Z"}, {"key": "Authorization", "value": 545 // "AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-dat 546 // e;x-goog-cloud-target-resource,+Signature=$signature"}, {"key": 547 // "x-goog-cloud-target-resource", "value": 548 // "//iam.googleapis.com/projects//locations/global/workloadIdentityPools 549 // //providers/"}, {"key": "host", "value": "sts.amazonaws.com"} . ], 550 // "method": "POST", "url": 551 // "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15 552 // " } ``` You can also use a Google-issued OAuth 2.0 access token with 553 // this field to obtain an access token with new security attributes 554 // applied, such as a Credential Access Boundary. In this case, set 555 // `subject_token_type` to 556 // `urn:ietf:params:oauth:token-type:access_token`. If an access token 557 // already contains security attributes, you cannot apply additional 558 // security attributes. 559 SubjectToken string `json:"subjectToken,omitempty"` 560 561 // SubjectTokenType: Required. An identifier that indicates the type of 562 // the security token in the `subject_token` parameter. Supported values 563 // are `urn:ietf:params:oauth:token-type:jwt`, 564 // `urn:ietf:params:oauth:token-type:id_token`, 565 // `urn:ietf:params:aws:token-type:aws4_request`, and 566 // `urn:ietf:params:oauth:token-type:access_token`. 567 SubjectTokenType string `json:"subjectTokenType,omitempty"` 568 569 // ForceSendFields is a list of field names (e.g. "Audience") to 570 // unconditionally include in API requests. By default, fields with 571 // empty or default values are omitted from API requests. However, any 572 // non-pointer, non-interface field appearing in ForceSendFields will be 573 // sent to the server regardless of whether the field is empty or not. 574 // This may be used to include empty fields in Patch requests. 575 ForceSendFields []string `json:"-"` 576 577 // NullFields is a list of field names (e.g. "Audience") to include in 578 // API requests with the JSON null value. By default, fields with empty 579 // values are omitted from API requests. However, any field with an 580 // empty value appearing in NullFields will be sent to the server as 581 // null. It is an error if a field in this list has a non-empty value. 582 // This may be used to include null fields in Patch requests. 583 NullFields []string `json:"-"` 584} 585 586func (s *GoogleIdentityStsV1betaExchangeTokenRequest) MarshalJSON() ([]byte, error) { 587 type NoMethod GoogleIdentityStsV1betaExchangeTokenRequest 588 raw := NoMethod(*s) 589 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 590} 591 592// GoogleIdentityStsV1betaExchangeTokenResponse: Response message for 593// ExchangeToken. 594type GoogleIdentityStsV1betaExchangeTokenResponse struct { 595 // AccessToken: An OAuth 2.0 security token, issued by Google, in 596 // response to the token exchange request. Tokens can vary in size, 597 // depending in part on the size of mapped claims, up to a maximum of 598 // 12288 bytes (12 KB). Google reserves the right to change the token 599 // size and the maximum length at any time. 600 AccessToken string `json:"access_token,omitempty"` 601 602 // ExpiresIn: The amount of time, in seconds, between the time when the 603 // access token was issued and the time when the access token will 604 // expire. This field is absent when the `subject_token` in the request 605 // is a Google-issued, short-lived access token. In this case, the 606 // access token has the same expiration time as the `subject_token`. 607 ExpiresIn int64 `json:"expires_in,omitempty"` 608 609 // IssuedTokenType: The token type. Always matches the value of 610 // `requested_token_type` from the request. 611 IssuedTokenType string `json:"issued_token_type,omitempty"` 612 613 // TokenType: The type of access token. Always has the value `Bearer`. 614 TokenType string `json:"token_type,omitempty"` 615 616 // ServerResponse contains the HTTP response code and headers from the 617 // server. 618 googleapi.ServerResponse `json:"-"` 619 620 // ForceSendFields is a list of field names (e.g. "AccessToken") to 621 // unconditionally include in API requests. By default, fields with 622 // empty or default values are omitted from API requests. However, any 623 // non-pointer, non-interface field appearing in ForceSendFields will be 624 // sent to the server regardless of whether the field is empty or not. 625 // This may be used to include empty fields in Patch requests. 626 ForceSendFields []string `json:"-"` 627 628 // NullFields is a list of field names (e.g. "AccessToken") to include 629 // in API requests with the JSON null value. By default, fields with 630 // empty values are omitted from API requests. However, any field with 631 // an empty value appearing in NullFields will be sent to the server as 632 // null. It is an error if a field in this list has a non-empty value. 633 // This may be used to include null fields in Patch requests. 634 NullFields []string `json:"-"` 635} 636 637func (s *GoogleIdentityStsV1betaExchangeTokenResponse) MarshalJSON() ([]byte, error) { 638 type NoMethod GoogleIdentityStsV1betaExchangeTokenResponse 639 raw := NoMethod(*s) 640 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 641} 642 643// GoogleIdentityStsV1betaOptions: An `Options` object configures 644// features that the Security Token Service supports, but that are not 645// supported by standard OAuth 2.0 token exchange endpoints, as defined 646// in https://tools.ietf.org/html/rfc8693. 647type GoogleIdentityStsV1betaOptions struct { 648 // AccessBoundary: An access boundary that defines the upper bound of 649 // permissions the credential may have. The value should be a JSON 650 // object of AccessBoundary. The access boundary can include up to 10 651 // rules. The size of the parameter value should not exceed 2048 652 // characters. 653 AccessBoundary *GoogleIdentityStsV1betaAccessBoundary `json:"accessBoundary,omitempty"` 654 655 // Audiences: The intended audience(s) of the credential. The audience 656 // value(s) should be the name(s) of services intended to receive the 657 // credential. Example: `["https://pubsub.googleapis.com/", 658 // "https://storage.googleapis.com/"]`. A maximum of 5 audiences can be 659 // included. For each provided audience, the maximum length is 262 660 // characters. 661 Audiences []string `json:"audiences,omitempty"` 662 663 // UserProject: A Google project used for quota and billing purposes 664 // when the credential is used to access Google APIs. The provided 665 // project overrides the project bound to the credential. The value must 666 // be a project number or a project ID. Example: 667 // `my-sample-project-191923`. The maximum length is 32 characters. 668 UserProject string `json:"userProject,omitempty"` 669 670 // ForceSendFields is a list of field names (e.g. "AccessBoundary") to 671 // unconditionally include in API requests. By default, fields with 672 // empty or default values are omitted from API requests. However, any 673 // non-pointer, non-interface field appearing in ForceSendFields will be 674 // sent to the server regardless of whether the field is empty or not. 675 // This may be used to include empty fields in Patch requests. 676 ForceSendFields []string `json:"-"` 677 678 // NullFields is a list of field names (e.g. "AccessBoundary") to 679 // include in API requests with the JSON null value. By default, fields 680 // with empty values are omitted from API requests. However, any field 681 // with an empty value appearing in NullFields will be sent to the 682 // server as null. It is an error if a field in this list has a 683 // non-empty value. This may be used to include null fields in Patch 684 // requests. 685 NullFields []string `json:"-"` 686} 687 688func (s *GoogleIdentityStsV1betaOptions) MarshalJSON() ([]byte, error) { 689 type NoMethod GoogleIdentityStsV1betaOptions 690 raw := NoMethod(*s) 691 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 692} 693 694// GoogleTypeExpr: Represents a textual expression in the Common 695// Expression Language (CEL) syntax. CEL is a C-like expression 696// language. The syntax and semantics of CEL are documented at 697// https://github.com/google/cel-spec. Example (Comparison): title: 698// "Summary size limit" description: "Determines if a summary is less 699// than 100 chars" expression: "document.summary.size() < 100" Example 700// (Equality): title: "Requestor is owner" description: "Determines if 701// requestor is the document owner" expression: "document.owner == 702// request.auth.claims.email" Example (Logic): title: "Public documents" 703// description: "Determine whether the document should be publicly 704// visible" expression: "document.type != 'private' && document.type != 705// 'internal'" Example (Data Manipulation): title: "Notification string" 706// description: "Create a notification string with a timestamp." 707// expression: "'New message received at ' + 708// string(document.create_time)" The exact variables and functions that 709// may be referenced within an expression are determined by the service 710// that evaluates it. See the service documentation for additional 711// information. 712type GoogleTypeExpr struct { 713 // Description: Optional. Description of the expression. This is a 714 // longer text which describes the expression, e.g. when hovered over it 715 // in a UI. 716 Description string `json:"description,omitempty"` 717 718 // Expression: Textual representation of an expression in Common 719 // Expression Language syntax. 720 Expression string `json:"expression,omitempty"` 721 722 // Location: Optional. String indicating the location of the expression 723 // for error reporting, e.g. a file name and a position in the file. 724 Location string `json:"location,omitempty"` 725 726 // Title: Optional. Title for the expression, i.e. a short string 727 // describing its purpose. This can be used e.g. in UIs which allow to 728 // enter the expression. 729 Title string `json:"title,omitempty"` 730 731 // ForceSendFields is a list of field names (e.g. "Description") to 732 // unconditionally include in API requests. By default, fields with 733 // empty or default values are omitted from API requests. However, any 734 // non-pointer, non-interface field appearing in ForceSendFields will be 735 // sent to the server regardless of whether the field is empty or not. 736 // This may be used to include empty fields in Patch requests. 737 ForceSendFields []string `json:"-"` 738 739 // NullFields is a list of field names (e.g. "Description") to include 740 // in API requests with the JSON null value. By default, fields with 741 // empty values are omitted from API requests. However, any field with 742 // an empty value appearing in NullFields will be sent to the server as 743 // null. It is an error if a field in this list has a non-empty value. 744 // This may be used to include null fields in Patch requests. 745 NullFields []string `json:"-"` 746} 747 748func (s *GoogleTypeExpr) MarshalJSON() ([]byte, error) { 749 type NoMethod GoogleTypeExpr 750 raw := NoMethod(*s) 751 return gensupport.MarshalJSON(raw, s.ForceSendFields, s.NullFields) 752} 753 754// method id "sts.token": 755 756type V1betaTokenCall struct { 757 s *Service 758 googleidentitystsv1betaexchangetokenrequest *GoogleIdentityStsV1betaExchangeTokenRequest 759 urlParams_ gensupport.URLParams 760 ctx_ context.Context 761 header_ http.Header 762} 763 764// Token: Exchanges a credential for a Google OAuth 2.0 access token. 765// The token asserts an external identity within a workload identity 766// pool, or it applies a Credential Access Boundary to a Google access 767// token. When you call this method, do not send the `Authorization` 768// HTTP header in the request. This method does not require the 769// `Authorization` header, and using the header can cause the request to 770// fail. 771func (r *V1betaService) Token(googleidentitystsv1betaexchangetokenrequest *GoogleIdentityStsV1betaExchangeTokenRequest) *V1betaTokenCall { 772 c := &V1betaTokenCall{s: r.s, urlParams_: make(gensupport.URLParams)} 773 c.googleidentitystsv1betaexchangetokenrequest = googleidentitystsv1betaexchangetokenrequest 774 return c 775} 776 777// Fields allows partial responses to be retrieved. See 778// https://developers.google.com/gdata/docs/2.0/basics#PartialResponse 779// for more information. 780func (c *V1betaTokenCall) Fields(s ...googleapi.Field) *V1betaTokenCall { 781 c.urlParams_.Set("fields", googleapi.CombineFields(s)) 782 return c 783} 784 785// Context sets the context to be used in this call's Do method. Any 786// pending HTTP request will be aborted if the provided context is 787// canceled. 788func (c *V1betaTokenCall) Context(ctx context.Context) *V1betaTokenCall { 789 c.ctx_ = ctx 790 return c 791} 792 793// Header returns an http.Header that can be modified by the caller to 794// add HTTP headers to the request. 795func (c *V1betaTokenCall) Header() http.Header { 796 if c.header_ == nil { 797 c.header_ = make(http.Header) 798 } 799 return c.header_ 800} 801 802func (c *V1betaTokenCall) doRequest(alt string) (*http.Response, error) { 803 reqHeaders := make(http.Header) 804 reqHeaders.Set("x-goog-api-client", "gl-go/"+gensupport.GoVersion()+" gdcl/20211201") 805 for k, v := range c.header_ { 806 reqHeaders[k] = v 807 } 808 reqHeaders.Set("User-Agent", c.s.userAgent()) 809 var body io.Reader = nil 810 body, err := googleapi.WithoutDataWrapper.JSONReader(c.googleidentitystsv1betaexchangetokenrequest) 811 if err != nil { 812 return nil, err 813 } 814 reqHeaders.Set("Content-Type", "application/json") 815 c.urlParams_.Set("alt", alt) 816 c.urlParams_.Set("prettyPrint", "false") 817 urls := googleapi.ResolveRelative(c.s.BasePath, "v1beta/token") 818 urls += "?" + c.urlParams_.Encode() 819 req, err := http.NewRequest("POST", urls, body) 820 if err != nil { 821 return nil, err 822 } 823 req.Header = reqHeaders 824 return gensupport.SendRequest(c.ctx_, c.s.client, req) 825} 826 827// Do executes the "sts.token" call. 828// Exactly one of *GoogleIdentityStsV1betaExchangeTokenResponse or error 829// will be non-nil. Any non-2xx status code is an error. Response 830// headers are in either 831// *GoogleIdentityStsV1betaExchangeTokenResponse.ServerResponse.Header 832// or (if a response was returned at all) in 833// error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check 834// whether the returned error was because http.StatusNotModified was 835// returned. 836func (c *V1betaTokenCall) Do(opts ...googleapi.CallOption) (*GoogleIdentityStsV1betaExchangeTokenResponse, error) { 837 gensupport.SetOptions(c.urlParams_, opts...) 838 res, err := c.doRequest("json") 839 if res != nil && res.StatusCode == http.StatusNotModified { 840 if res.Body != nil { 841 res.Body.Close() 842 } 843 return nil, &googleapi.Error{ 844 Code: res.StatusCode, 845 Header: res.Header, 846 } 847 } 848 if err != nil { 849 return nil, err 850 } 851 defer googleapi.CloseBody(res) 852 if err := googleapi.CheckResponse(res); err != nil { 853 return nil, err 854 } 855 ret := &GoogleIdentityStsV1betaExchangeTokenResponse{ 856 ServerResponse: googleapi.ServerResponse{ 857 Header: res.Header, 858 HTTPStatusCode: res.StatusCode, 859 }, 860 } 861 target := &ret 862 if err := gensupport.DecodeResponse(target, res); err != nil { 863 return nil, err 864 } 865 return ret, nil 866 // { 867 // "description": "Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a Google access token. When you call this method, do not send the `Authorization` HTTP header in the request. This method does not require the `Authorization` header, and using the header can cause the request to fail.", 868 // "flatPath": "v1beta/token", 869 // "httpMethod": "POST", 870 // "id": "sts.token", 871 // "parameterOrder": [], 872 // "parameters": {}, 873 // "path": "v1beta/token", 874 // "request": { 875 // "$ref": "GoogleIdentityStsV1betaExchangeTokenRequest" 876 // }, 877 // "response": { 878 // "$ref": "GoogleIdentityStsV1betaExchangeTokenResponse" 879 // } 880 // } 881 882} 883