1{ 2 "basePath": "", 3 "baseUrl": "https://sts.googleapis.com/", 4 "batchPath": "batch", 5 "canonicalName": "Cloud Security Token", 6 "description": "The Security Token Service exchanges Google or third-party credentials for a short-lived access token to Google Cloud resources.", 7 "discoveryVersion": "v1", 8 "documentationLink": "http://cloud.google.com/iam/docs/workload-identity-federation", 9 "fullyEncodeReservedExpansion": true, 10 "icons": { 11 "x16": "http://www.google.com/images/icons/product/search-16.gif", 12 "x32": "http://www.google.com/images/icons/product/search-32.gif" 13 }, 14 "id": "sts:v1beta", 15 "kind": "discovery#restDescription", 16 "mtlsRootUrl": "https://sts.mtls.googleapis.com/", 17 "name": "sts", 18 "ownerDomain": "google.com", 19 "ownerName": "Google", 20 "parameters": { 21 "$.xgafv": { 22 "description": "V1 error format.", 23 "enum": [ 24 "1", 25 "2" 26 ], 27 "enumDescriptions": [ 28 "v1 error format", 29 "v2 error format" 30 ], 31 "location": "query", 32 "type": "string" 33 }, 34 "access_token": { 35 "description": "OAuth access token.", 36 "location": "query", 37 "type": "string" 38 }, 39 "alt": { 40 "default": "json", 41 "description": "Data format for response.", 42 "enum": [ 43 "json", 44 "media", 45 "proto" 46 ], 47 "enumDescriptions": [ 48 "Responses with Content-Type of application/json", 49 "Media download with context-dependent Content-Type", 50 "Responses with Content-Type of application/x-protobuf" 51 ], 52 "location": "query", 53 "type": "string" 54 }, 55 "callback": { 56 "description": "JSONP", 57 "location": "query", 58 "type": "string" 59 }, 60 "fields": { 61 "description": "Selector specifying which fields to include in a partial response.", 62 "location": "query", 63 "type": "string" 64 }, 65 "key": { 66 "description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.", 67 "location": "query", 68 "type": "string" 69 }, 70 "oauth_token": { 71 "description": "OAuth 2.0 token for the current user.", 72 "location": "query", 73 "type": "string" 74 }, 75 "prettyPrint": { 76 "default": "true", 77 "description": "Returns response with indentations and line breaks.", 78 "location": "query", 79 "type": "boolean" 80 }, 81 "quotaUser": { 82 "description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.", 83 "location": "query", 84 "type": "string" 85 }, 86 "uploadType": { 87 "description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").", 88 "location": "query", 89 "type": "string" 90 }, 91 "upload_protocol": { 92 "description": "Upload protocol for media (e.g. \"raw\", \"multipart\").", 93 "location": "query", 94 "type": "string" 95 } 96 }, 97 "protocol": "rest", 98 "resources": { 99 "v1beta": { 100 "methods": { 101 "token": { 102 "description": "Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a Google access token. When you call this method, do not send the `Authorization` HTTP header in the request. This method does not require the `Authorization` header, and using the header can cause the request to fail.", 103 "flatPath": "v1beta/token", 104 "httpMethod": "POST", 105 "id": "sts.token", 106 "parameterOrder": [], 107 "parameters": {}, 108 "path": "v1beta/token", 109 "request": { 110 "$ref": "GoogleIdentityStsV1betaExchangeTokenRequest" 111 }, 112 "response": { 113 "$ref": "GoogleIdentityStsV1betaExchangeTokenResponse" 114 } 115 } 116 } 117 } 118 }, 119 "revision": "20210206", 120 "rootUrl": "https://sts.googleapis.com/", 121 "schemas": { 122 "GoogleIdentityStsV1betaExchangeTokenRequest": { 123 "description": "Request message for ExchangeToken.", 124 "id": "GoogleIdentityStsV1betaExchangeTokenRequest", 125 "properties": { 126 "audience": { 127 "description": "The full resource name of the identity provider. For example, `//iam.googleapis.com/projects//workloadIdentityPools//providers/`. Required when exchanging an external credential for a Google access token.", 128 "type": "string" 129 }, 130 "grantType": { 131 "description": "Required. The grant type. Must be `urn:ietf:params:oauth:grant-type:token-exchange`, which indicates a token exchange.", 132 "type": "string" 133 }, 134 "options": { 135 "description": "A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options.", 136 "type": "string" 137 }, 138 "requestedTokenType": { 139 "description": "Required. The type of security token. Must be `urn:ietf:params:oauth:token-type:access_token`, which indicates an OAuth 2.0 access token.", 140 "type": "string" 141 }, 142 "scope": { 143 "description": "The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings. Required when exchanging an external credential for a Google access token.", 144 "type": "string" 145 }, 146 "subjectToken": { 147 "description": "Required. The input token. This token is a either an external credential issued by a workload identity pool provider, or a short-lived access token issued by Google. If the token is an OIDC JWT, it must use the JWT format defined in [RFC 7523](https://tools.ietf.org/html/rfc7523), and the `subject_token_type` must be `urn:ietf:params:oauth:token-type:jwt`. The following headers are required: - `kid`: The identifier of the signing key securing the JWT. - `alg`: The cryptographic algorithm securing the JWT. Must be `RS256`. The following payload fields are required. For more information, see [RFC 7523, Section 3](https://tools.ietf.org/html/rfc7523#section-3): - `iss`: The issuer of the token. The issuer must provide a discovery document at the URL `/.well-known/openid-configuration`, where `` is the value of this field. The document must be formatted according to section 4.2 of the [OIDC 1.0 Discovery specification](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). - `iat`: The issue time, in seconds, since the Unix epoch. Must be in the past. - `exp`: The expiration time, in seconds, since the Unix epoch. Must be less than 48 hours after `iat`. Shorter expiration times are more secure. If possible, we recommend setting an expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. - `aud`: Configured by the mapper policy. The default value is the service account's unique ID. Example header: ``` { \"alg\": \"RS256\", \"kid\": \"us-east-11\" } ``` Example payload: ``` { \"iss\": \"https://accounts.google.com\", \"iat\": 1517963104, \"exp\": 1517966704, \"aud\": \"113475438248934895348\", \"sub\": \"113475438248934895348\", \"my_claims\": { \"additional_claim\": \"value\" } } ``` If `subject_token` is for AWS, it must be a serialized `GetCallerIdentity` token. This token contains the same information as a request to the AWS [`GetCallerIdentity()`](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity) method, as well as the AWS [signature](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) for the request information. Use Signature Version 4. Format the request as URL-encoded JSON, and set the `subject_token_type` parameter to `urn:ietf:params:aws:token-type:aws4_request`. The following parameters are required: - `url`: The URL of the AWS STS endpoint for `GetCallerIdentity()`, such as `https://sts.amazonaws.com?Action=GetCallerIdentity\u0026Version=2011-06-15`. Regional endpoints are also supported. - `method`: The HTTP request method: `POST`. - `headers`: The HTTP request headers, which must include: - `Authorization`: The request signature. - `x-amz-date`: The time you will send the request, formatted as an [ISO8601 Basic](https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#sigv4_elements_date) string. This value is typically set to the current time and is used to help prevent replay attacks. - `host`: The hostname of the `url` field; for example, `sts.amazonaws.com`. - `x-goog-cloud-target-resource`: The full, canonical resource name of the workload identity pool provider, with or without an `https:` prefix. To help ensure data integrity, we recommend including this header in the `SignedHeaders` field of the signed request. For example: //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ If you are using temporary security credentials provided by AWS, you must also include the header `x-amz-security-token`, with the value set to the session token. The following example shows a `GetCallerIdentity` token: ``` { \"headers\": [ {\"key\": \"x-amz-date\", \"value\": \"20200815T015049Z\"}, {\"key\": \"Authorization\", \"value\": \"AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$signature\"}, {\"key\": \"x-goog-cloud-target-resource\", \"value\": \"//iam.googleapis.com/projects//locations//workloadIdentityPools//providers/\"}, {\"key\": \"host\", \"value\": \"sts.amazonaws.com\"} . ], \"method\": \"POST\", \"url\": \"https://sts.amazonaws.com?Action=GetCallerIdentity\u0026Version=2011-06-15\" } ``` You can also use a Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes applied, such as a Credential Access Boundary. In this case, set `subject_token_type` to `urn:ietf:params:oauth:token-type:access_token`. If an access token already contains security attributes, you cannot apply additional security attributes.", 148 "type": "string" 149 }, 150 "subjectTokenType": { 151 "description": "Required. An identifier that indicates the type of the security token in the `subject_token` parameter. Supported values are `urn:ietf:params:oauth:token-type:jwt`, `urn:ietf:params:aws:token-type:aws4_request`, and `urn:ietf:params:oauth:token-type:access_token`.", 152 "type": "string" 153 } 154 }, 155 "type": "object" 156 }, 157 "GoogleIdentityStsV1betaExchangeTokenResponse": { 158 "description": "Response message for ExchangeToken.", 159 "id": "GoogleIdentityStsV1betaExchangeTokenResponse", 160 "properties": { 161 "access_token": { 162 "description": "An OAuth 2.0 security token, issued by Google, in response to the token exchange request. Tokens can vary in size, depending in part on the size of mapped claims, up to a maximum of 12288 bytes (12 KB). Google reserves the right to change the token size and the maximum length at any time.", 163 "type": "string" 164 }, 165 "expires_in": { 166 "description": "The amount of time, in seconds, between the time when the access token was issued and the time when the access token will expire. This field is absent when the `subject_token` in the request is a Google-issued, short-lived access token. In this case, the access token has the same expiration time as the `subject_token`.", 167 "format": "int32", 168 "type": "integer" 169 }, 170 "issued_token_type": { 171 "description": "The token type. Always matches the value of `requested_token_type` from the request.", 172 "type": "string" 173 }, 174 "token_type": { 175 "description": "The type of access token. Always has the value `Bearer`.", 176 "type": "string" 177 } 178 }, 179 "type": "object" 180 } 181 }, 182 "servicePath": "", 183 "title": "Security Token Service API", 184 "version": "v1beta", 185 "version_module": true 186}