google/externalaccount: add support for workforce pool credentials

This commit is contained in:
Ryan Kohler 2021-09-30 13:35:18 -07:00
parent 2bc19b1117
commit 7969d9bbda
2 changed files with 14 additions and 1 deletions

View File

@ -123,6 +123,7 @@ type credentialsFile struct {
ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"` ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
CredentialSource externalaccount.CredentialSource `json:"credential_source"` CredentialSource externalaccount.CredentialSource `json:"credential_source"`
QuotaProjectID string `json:"quota_project_id"` QuotaProjectID string `json:"quota_project_id"`
WorkforcePoolUserProject string `json:"workforce_pool_user_project"`
} }
func (f *credentialsFile) jwtConfig(scopes []string, subject string) *jwt.Config { func (f *credentialsFile) jwtConfig(scopes []string, subject string) *jwt.Config {
@ -176,6 +177,7 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar
CredentialSource: f.CredentialSource, CredentialSource: f.CredentialSource,
QuotaProjectID: f.QuotaProjectID, QuotaProjectID: f.QuotaProjectID,
Scopes: params.Scopes, Scopes: params.Scopes,
WorkforcePoolUserProject: f.WorkforcePoolUserProject,
} }
return cfg.TokenSource(ctx) return cfg.TokenSource(ctx)
case "": case "":

View File

@ -53,6 +53,11 @@ type Config struct {
QuotaProjectID string QuotaProjectID string
// Scopes contains the desired scopes for the returned access token. // Scopes contains the desired scopes for the returned access token.
Scopes []string Scopes []string
// The optional workforce pool user project number when the credential
// corresponds to a workforce pool and not a workload identity pool.
// The underlying principal must still have serviceusage.services.use IAM
// permission to use the project for billing/quota.
WorkforcePoolUserProject string
} }
// Each element consists of a list of patterns. validateURLs checks for matches // Each element consists of a list of patterns. validateURLs checks for matches
@ -224,7 +229,13 @@ func (ts tokenSource) Token() (*oauth2.Token, error) {
ClientID: conf.ClientID, ClientID: conf.ClientID,
ClientSecret: conf.ClientSecret, ClientSecret: conf.ClientSecret,
} }
stsResp, err := exchangeToken(ts.ctx, conf.TokenURL, &stsRequest, clientAuth, header, nil) var options map[string]string
if (ts.Config.WorkforcePoolUserProject != "") {
options = map[string]string{
"userProject": ts.Config.WorkforcePoolUserProject,
}
}
stsResp, err := exchangeToken(ts.ctx, conf.TokenURL, &stsRequest, clientAuth, header, options)
if err != nil { if err != nil {
return nil, err return nil, err
} }