forked from Mirrors/oauth2
google/externalaccount: add support for workforce pool credentials
This commit is contained in:
Ryan Kohler
parent
2bc19b1117
commit
7969d9bbda
|
|
@ -123,6 +123,7 @@ type credentialsFile struct {
|
||||||
ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
|
ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
|
||||||
CredentialSource externalaccount.CredentialSource `json:"credential_source"`
|
CredentialSource externalaccount.CredentialSource `json:"credential_source"`
|
||||||
QuotaProjectID string `json:"quota_project_id"`
|
QuotaProjectID string `json:"quota_project_id"`
|
||||||
|
WorkforcePoolUserProject string `json:"workforce_pool_user_project"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *credentialsFile) jwtConfig(scopes []string, subject string) *jwt.Config {
|
func (f *credentialsFile) jwtConfig(scopes []string, subject string) *jwt.Config {
|
||||||
|
|
@ -176,6 +177,7 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar
|
||||||
CredentialSource: f.CredentialSource,
|
CredentialSource: f.CredentialSource,
|
||||||
QuotaProjectID: f.QuotaProjectID,
|
QuotaProjectID: f.QuotaProjectID,
|
||||||
Scopes: params.Scopes,
|
Scopes: params.Scopes,
|
||||||
|
WorkforcePoolUserProject: f.WorkforcePoolUserProject,
|
||||||
}
|
}
|
||||||
return cfg.TokenSource(ctx)
|
return cfg.TokenSource(ctx)
|
||||||
case "":
|
case "":
|
||||||
|
|
|
||||||
|
|
@ -53,6 +53,11 @@ type Config struct {
|
||||||
QuotaProjectID string
|
QuotaProjectID string
|
||||||
// Scopes contains the desired scopes for the returned access token.
|
// Scopes contains the desired scopes for the returned access token.
|
||||||
Scopes []string
|
Scopes []string
|
||||||
|
// The optional workforce pool user project number when the credential
|
||||||
|
// corresponds to a workforce pool and not a workload identity pool.
|
||||||
|
// The underlying principal must still have serviceusage.services.use IAM
|
||||||
|
// permission to use the project for billing/quota.
|
||||||
|
WorkforcePoolUserProject string
|
||||||
}
|
}
|
||||||
|
|
||||||
// Each element consists of a list of patterns. validateURLs checks for matches
|
// Each element consists of a list of patterns. validateURLs checks for matches
|
||||||
|
|
@ -224,7 +229,13 @@ func (ts tokenSource) Token() (*oauth2.Token, error) {
|
||||||
ClientID: conf.ClientID,
|
ClientID: conf.ClientID,
|
||||||
ClientSecret: conf.ClientSecret,
|
ClientSecret: conf.ClientSecret,
|
||||||
}
|
}
|
||||||
stsResp, err := exchangeToken(ts.ctx, conf.TokenURL, &stsRequest, clientAuth, header, nil)
|
var options map[string]string
|
||||||
|
if (ts.Config.WorkforcePoolUserProject != "") {
|
||||||
|
options = map[string]string{
|
||||||
|
"userProject": ts.Config.WorkforcePoolUserProject,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
stsResp, err := exchangeToken(ts.ctx, conf.TokenURL, &stsRequest, clientAuth, header, options)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue