google/externalaccount: add support for workforce pool credentials

2021-09-30 13:35:18 -07:00 · 2021-09-30 13:35:18 -07:00 · 7969d9bbda
parent 2bc19b1117
commit 7969d9bbda
2 changed files with 14 additions and 1 deletions
--- a/google/google.go
+++ b/google/google.go
@ -123,6 +123,7 @@ type credentialsFile struct {
 	ServiceAccountImpersonationURL string                           `json:"service_account_impersonation_url"`
 	CredentialSource               externalaccount.CredentialSource `json:"credential_source"`
 	QuotaProjectID                 string                           `json:"quota_project_id"`
+	WorkforcePoolUserProject 			 string														`json:"workforce_pool_user_project"`
 }

 func (f *credentialsFile) jwtConfig(scopes []string, subject string) *jwt.Config {
@ -176,6 +177,7 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar
 			CredentialSource:               f.CredentialSource,
 			QuotaProjectID:                 f.QuotaProjectID,
 			Scopes:                         params.Scopes,
+			WorkforcePoolUserProject:				f.WorkforcePoolUserProject,
 		}
 		return cfg.TokenSource(ctx)
 	case "":
--- a/google/internal/externalaccount/basecredentials.go
+++ b/google/internal/externalaccount/basecredentials.go
@ -53,6 +53,11 @@ type Config struct {
 	QuotaProjectID string
 	// Scopes contains the desired scopes for the returned access token.
 	Scopes []string
+	// The optional workforce pool user project number when the credential
+	// corresponds to a workforce pool and not a workload identity pool.
+	// The underlying principal must still have serviceusage.services.use IAM
+	// permission to use the project for billing/quota.
+	WorkforcePoolUserProject string
 }

 // Each element consists of a list of patterns.  validateURLs checks for matches
@ -224,7 +229,13 @@ func (ts tokenSource) Token() (*oauth2.Token, error) {
 		ClientID:     conf.ClientID,
 		ClientSecret: conf.ClientSecret,
 	}
-	stsResp, err := exchangeToken(ts.ctx, conf.TokenURL, &stsRequest, clientAuth, header, nil)
+	var options map[string]string
+	if (ts.Config.WorkforcePoolUserProject != "") {
+		options = map[string]string{
+			"userProject": ts.Config.WorkforcePoolUserProject,
+		}
+	}
+	stsResp, err := exchangeToken(ts.ctx, conf.TokenURL, &stsRequest, clientAuth, header, options)
 	if err != nil {
 		return nil, err
 	}