diff --git a/google/google.go b/google/google.go index 15f8f32..0e5b53d 100644 --- a/google/google.go +++ b/google/google.go @@ -188,15 +188,15 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar return nil, errors.New("missing 'source_credentials' field in credentials") } - sourceToken, err := f.SourceCredentials.tokenSource(ctx, params) + ts, err := f.SourceCredentials.tokenSource(ctx, params) if err != nil { return nil, err } imp := externalaccount.ImpersonateTokenSource{ Ctx: ctx, - Url: f.ServiceAccountImpersonationURL, + URL: f.ServiceAccountImpersonationURL, Scopes: params.Scopes, - Ts: oauth2.ReuseTokenSource(nil, sourceToken), + Ts: oauth2.ReuseTokenSource(nil, ts), Delegates: f.Delegates, } return oauth2.ReuseTokenSource(nil, imp), nil diff --git a/google/internal/externalaccount/basecredentials.go b/google/internal/externalaccount/basecredentials.go index 002b7d8..fd0a02b 100644 --- a/google/internal/externalaccount/basecredentials.go +++ b/google/internal/externalaccount/basecredentials.go @@ -126,7 +126,7 @@ func (c *Config) tokenSource(ctx context.Context, tokenURLValidPats []*regexp.Re ts.conf.Scopes = []string{"https://www.googleapis.com/auth/cloud-platform"} imp := ImpersonateTokenSource{ Ctx: ctx, - Url: c.ServiceAccountImpersonationURL, + URL: c.ServiceAccountImpersonationURL, Scopes: scopes, Ts: oauth2.ReuseTokenSource(nil, ts), } diff --git a/google/internal/externalaccount/impersonate.go b/google/internal/externalaccount/impersonate.go index 0d476d1..8251fc8 100644 --- a/google/internal/externalaccount/impersonate.go +++ b/google/internal/externalaccount/impersonate.go @@ -29,19 +29,24 @@ type impersonateTokenResponse struct { ExpireTime string `json:"expireTime"` } -// ImpersonateTokenSource uses a source credential, stored in Ts, to request an access token to the provided Url +// ImpersonateTokenSource uses a source credential, stored in Ts, to request an access token to the provided URL. // Scopes can be defined when the access token is requested. type ImpersonateTokenSource struct { - // execution context + // Ctx is the execution context of the impersonation process + // used to perform http call to the URL. Required Ctx context.Context - // source credential + // Ts is the source credential used to generate a token on the + // impersonated service account. Required. Ts oauth2.TokenSource - // impersonation url to request an access token - Url string - // scopes to include in the access token request + // URL is the endpoint to call to generate a token + // on behalf the service account. Required. + URL string + // Scopes that the impersonated credential should have. Required. Scopes []string - // Delegates for impersonation to include in the access token request + // Delegates are the service account email addresses in a delegation chain. + // Each service account must be granted roles/iam.serviceAccountTokenCreator + // on the next service account in the chain. Optional. Delegates []string } @@ -57,7 +62,7 @@ func (its ImpersonateTokenSource) Token() (*oauth2.Token, error) { return nil, fmt.Errorf("oauth2/google: unable to marshal request: %v", err) } client := oauth2.NewClient(its.Ctx, its.Ts) - req, err := http.NewRequest("POST", its.Url, bytes.NewReader(b)) + req, err := http.NewRequest("POST", its.URL, bytes.NewReader(b)) if err != nil { return nil, fmt.Errorf("oauth2/google: unable to create impersonation request: %v", err) }