diff --git a/google/downscope/downscoping.go b/google/downscope/downscoping.go index 97ab801..5d9ad53 100644 --- a/google/downscope/downscoping.go +++ b/google/downscope/downscoping.go @@ -11,9 +11,9 @@ For complete documentation, see https://cloud.google.com/iam/docs/downscoping-sh To downscope permissions of a source credential, you need to define a Credential Access Boundary. Said Boundary specifies which resources the newly created credential can access, an upper bound on the permissions -it has over those resources, and optionally attribute-base conditional +it has over those resources, and optionally attribute-based conditional access to the aforementioned resources. For more information on IAM -Credentials, see https://cloud.google.com/iam/docs/conditions-overview +Conditions, see https://cloud.google.com/iam/docs/conditions-overview. This functionality would typically be used to provide a third party with limited access to and permissions on resources held by the owner of the root @@ -30,7 +30,8 @@ token broker would use this package. The broker will use the functionality in this package to generate a downscoped token with the requested configuration, and then pass it back to the token consumer. These downscoped access tokens can then be used to access Google -Storage resources. +Storage resources. For instance, you can create a NewClient from the +"cloud.google.com/go/storage" package and pass in option.WithTokenSource(yourTokenSource)) */ package downscope @@ -115,7 +116,7 @@ type downscopingTokenSource struct { config DownscopingConfig } -// NewTokenSource returns an configured downscopingTokenSource. +// NewTokenSource returns a configured downscopingTokenSource. func NewTokenSource(ctx context.Context, conf DownscopingConfig) (oauth2.TokenSource, error) { if conf.RootSource == nil { return nil, fmt.Errorf("downscope: rootSource cannot be nil")