gcp

package
v1.206.3-rc.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 18, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Overview

Package gcp provides GCP-specific credential file management and environment setup for the Atmos authentication system.

This package implements the XDG-compliant file isolation pattern, storing GCP credentials in ~/.config/atmos/<realm>/gcp/<provider-name>/ to avoid conflicts with the user's existing gcloud configuration.

Directory Structure: 

~/.config/atmos/<realm>/gcp/<provider-name>/
├── adc/
│   └── <identity-name>/
│       └── application_default_credentials.json
└── config/
    └── <identity-name>/
        ├── active_config
        ├── configurations/
        │   └── config_atmos
        └── properties

Environment Variables:

The package manages the following environment variables:

  • GOOGLE_APPLICATION_CREDENTIALS: Path to ADC JSON file
  • GOOGLE_CLOUD_PROJECT: Default project ID
  • CLOUDSDK_CONFIG: Path to gcloud config directory
  • CLOUDSDK_CORE_PROJECT: Project for gcloud commands
  • GOOGLE_CLOUD_REGION: Default region

Usage: 

// Complete setup for an identity
err := gcp.Setup(ctx, "my-realm", "my-provider", "my-identity", creds)

// Or step by step:
err := gcp.PrepareEnvironment()
paths, err := gcp.SetupFiles(ctx, "my-realm", "my-provider", "my-identity", creds)
err = gcp.SetAuthContext(authContext, "my-realm", "my-provider", "my-identity", creds)
err = gcp.SetEnvironmentVariables(ctx, "my-realm", "my-provider", "my-identity")

Index

Constants

View Source 
const (
	// GCPSubdir is the subdirectory for GCP credentials.
	GCPSubdir = "gcp"
	// ADCSubdir is the subdirectory for Application Default Credentials.
	ADCSubdir = "adc"
	// ConfigSubdir is the subdirectory for gcloud-style config.
	ConfigSubdir = "config"
	// CredentialsFileName is the standard ADC filename.
	CredentialsFileName = "application_default_credentials.json"
	// ActiveConfigFileName is the gcloud active config file.
	ActiveConfigFileName = "active_config"
	// ConfigurationsSubdir is the gcloud configurations directory.
	ConfigurationsSubdir = "configurations"
	// PropertiesFileName is the gcloud properties file.
	PropertiesFileName = "properties"
	// AccessTokenFileName is the filename for the access token file.
	AccessTokenFileName = "access_token"
)

Variables

View Source 
var GCPEnvironmentVariables = []string{
	"GOOGLE_APPLICATION_CREDENTIALS",
	"GOOGLE_CLOUD_PROJECT",
	"GCLOUD_PROJECT",
	"CLOUDSDK_CORE_PROJECT",
	"CLOUDSDK_CONFIG",
	"CLOUDSDK_ACTIVE_CONFIG_NAME",
	"GOOGLE_OAUTH_ACCESS_TOKEN",
	"GOOGLE_CLOUD_REGION",
	"CLOUDSDK_COMPUTE_REGION",
	"GOOGLE_CLOUD_ZONE",
	"CLOUDSDK_COMPUTE_ZONE",
}

GCPEnvironmentVariables lists all GCP-related environment variables that Atmos manages.

Functions

func Cleanup 

func Cleanup(ctx context.Context, realm, providerName, identityName string) error

Cleanup removes all credential files and clears environment variables for a GCP identity. Realm is required for credential isolation.

func CleanupIdentityFiles 

func CleanupIdentityFiles(realm, providerName, identityName string) error

CleanupIdentityFiles removes all credential files for an identity. Uses file locking to prevent concurrent modification conflicts. Realm is required for credential isolation.

func CredentialsExist 

func CredentialsExist(
	ctx context.Context,
	realm string,
	providerName string,
	identityName string,
) (bool, error)

CredentialsExist checks if valid (non-expired) credentials exist for an identity. Realm is required for credential isolation.

func GetADCDir 

func GetADCDir(realm, providerName, identityName string) (string, error)

GetADCDir returns the directory for ADC credentials for a specific identity. Path structure: {baseDir}/{realm}/gcp/{provider}/adc/{identity}/. Realm is required for credential isolation.

func GetADCFilePath 

func GetADCFilePath(realm, providerName, identityName string) (string, error)

GetADCFilePath returns the path to the ADC JSON file for a specific identity. Path structure: {baseDir}/{realm}/gcp/{provider}/adc/{identity}/application_default_credentials.json. Realm is required for credential isolation.

func GetAccessTokenFilePath 

func GetAccessTokenFilePath(realm, providerName, identityName string) (string, error)

GetAccessTokenFilePath returns the path to the access token file for an identity. Path structure: {baseDir}/{realm}/gcp/{provider}/adc/{identity}/access_token. Realm is required for credential isolation.

func GetConfigDir 

func GetConfigDir(realm, providerName, identityName string) (string, error)

GetConfigDir returns the gcloud-style config directory for a specific identity. Path structure: {baseDir}/{realm}/gcp/{provider}/config/{identity}/. Realm is required for credential isolation.

func GetCurrentGCPEnvironment 

func GetCurrentGCPEnvironment() map[string]string

GetCurrentGCPEnvironment returns the current GCP-related environment variables from the process. Call before PrepareEnvironment and pass the result to RestoreEnvironment on cleanup.

func GetEnvironmentVariables 

func GetEnvironmentVariables(realm, providerName, identityName string) (map[string]string, error)

GetEnvironmentVariables returns a map of environment variables that should be set for the given identity, without actually setting them. authContext is optional; when authContext.GCP is set, project/region are included. Realm is required for credential isolation.

func GetEnvironmentVariablesForIdentity 

func GetEnvironmentVariablesForIdentity(realm, providerName, identityName string, gcpAuth *schema.GCPAuthContext) (map[string]string, error)

GetEnvironmentVariablesForIdentity returns the env map for an identity. gcpAuth may be nil; when set, project/region/credentials path from auth are used. Realm is required for credential isolation.

When an access token is available, we use GOOGLE_OAUTH_ACCESS_TOKEN instead of GOOGLE_APPLICATION_CREDENTIALS. This is because our ADC files don't have refresh tokens (we get access tokens via service account impersonation), and the Google Cloud SDK's authorized_user credential type requires a refresh token.

func GetGCPBaseDir 

func GetGCPBaseDir() (string, error)

GetGCPBaseDir returns the base directory for GCP credentials. Returns: ~/.config/atmos/ (realm and gcp subdirs are added by callers).

func GetPropertiesFilePath 

func GetPropertiesFilePath(realm, providerName, identityName string) (string, error)

GetPropertiesFilePath returns the path to the gcloud properties file. Path structure: {baseDir}/{realm}/gcp/{provider}/config/{identity}/properties. Realm is required for credential isolation.

func GetProviderDir 

func GetProviderDir(realm, providerName string) (string, error)

GetProviderDir returns the directory for a specific GCP provider. Path structure: {baseDir}/{realm}/gcp/{provider}/. Realm is required for credential isolation between different Atmos configurations.

func ImpersonateServiceAccount 

func ImpersonateServiceAccount(
	ctx context.Context,
	svc IAMCredentialsService,
	serviceAccountEmail string,
	scopes []string,
	delegates []string,
	lifetime string,
) (string, time.Time, error)

ImpersonateServiceAccount generates an access token for a service account.

func LoadCredentialsFromFiles 

func LoadCredentialsFromFiles(
	ctx context.Context,
	realm string,
	providerName string,
	identityName string,
) (*types.GCPCredentials, error)

LoadCredentialsFromFiles attempts to load existing GCP credentials from the credential files for an identity. Returns nil if no valid credentials exist. Realm is required for credential isolation.

func PrepareEnvironment 

func PrepareEnvironment() error

PrepareEnvironment clears GCP-related environment variables to ensure a clean state before setting up isolated credentials. This prevents conflicts between user's existing gcloud config and Atmos-managed credentials.

func ProjectEnvVars 

func ProjectEnvVars(projectID string) map[string]string

ProjectEnvVars returns project-related environment variables.

func RegionEnvVars 

func RegionEnvVars(region string) map[string]string

RegionEnvVars returns region-related environment variables.

func RestoreEnvironment 

func RestoreEnvironment(savedEnv map[string]string) error

RestoreEnvironment restores the original GCP environment variables. This is used during logout or cleanup.

func SetAuthContext 

func SetAuthContext(authContext *schema.AuthContext, realm, providerName, identityName string, creds *types.GCPCredentials) error

SetAuthContext populates the GCPAuthContext in the given AuthContext with the credential information and file paths. Callers with ConfigAndStacksInfo should pass config.AuthContext. Realm is required for credential isolation.

func SetEnvironmentVariables 

func SetEnvironmentVariables(ctx context.Context, realm, providerName, identityName string) error

SetEnvironmentVariables sets the GCP environment variables based on the identity configuration and credential file paths. Realm is required for credential isolation.

func SetEnvironmentVariablesFromStackInfo 

func SetEnvironmentVariablesFromStackInfo(ctx context.Context, stackInfo *schema.ConfigAndStacksInfo, realm, providerName, identityName string) error

SetEnvironmentVariablesFromStackInfo sets GCP environment variables using paths for identityName and project/region from stackInfo.AuthContext.GCP when present. Call this after SetAuthContext so project/region are applied. Realm is required for credential isolation.

func Setup 

func Setup(
	ctx context.Context,
	realm string,
	providerName string,
	identityName string,
	creds *types.GCPCredentials,
) error

Setup performs the complete setup for a GCP identity: 1. Prepares the environment (clears conflicting vars) 2. Writes credential files 3. Sets environment variables (including project/region from creds)

Call SetAuthContext separately with the stack's AuthContext so in-process and spawned processes use the same context. Realm is required for credential isolation.

func SetupFiles 

func SetupFiles(
	ctx context.Context,
	realm string,
	providerName string,
	identityName string,
	creds *types.GCPCredentials,
) ([]string, error)

SetupFiles writes all necessary credential files for a GCP identity. This includes:

  • ADC JSON file (application_default_credentials.json).
  • gcloud properties file (for project/region defaults).
  • Access token file (for tools that read tokens directly).

Parameters:

  • ctx: Context for cancellation.
  • realm: The realm for credential isolation (typically derived from atmos config hash).
  • providerName: Name of the provider being set up.
  • identityName: Name of the identity being set up.
  • creds: The GCP credentials to write.

Returns the paths of all written files and any error.

func WriteADCFile 

func WriteADCFile(realm, providerName, identityName string, content *AuthorizedUserContent) (string, error)

WriteADCFile writes the Application Default Credentials JSON file. Uses file locking to prevent concurrent modification conflicts. Realm is required for credential isolation.

func WriteAccessTokenFile 

func WriteAccessTokenFile(realm, providerName, identityName string, accessToken string, expiry time.Time) (string, error)

WriteAccessTokenFile writes a simple access token file for tools that need it. Uses file locking to prevent concurrent modification conflicts. Realm is required for credential isolation.

func WritePropertiesFile 

func WritePropertiesFile(realm, providerName, identityName string, projectID string, region string) (string, error)

WritePropertiesFile writes the gcloud-style properties file (INI format). Uses the ini.v1 library for consistent, properly-escaped INI generation and file locking to prevent concurrent modification conflicts. Realm is required for credential isolation.

func ZoneEnvVars 

func ZoneEnvVars(zone string) map[string]string

ZoneEnvVars returns zone-related environment variables.

Types

type AuthorizedUserContent 

type AuthorizedUserContent struct {
	Type         string `json:"type"`
	AccessToken  string `json:"access_token,omitempty"`
	RefreshToken string `json:"refresh_token,omitempty"`
	ClientID     string `json:"client_id,omitempty"`
	ClientSecret string `json:"client_secret,omitempty"`
	TokenExpiry  string `json:"token_expiry,omitempty"`
}

AuthorizedUserContent represents the structure of an authorized_user ADC JSON file.

type IAMCredentialsService 

type IAMCredentialsService interface {
	GenerateAccessToken(ctx context.Context, name string, req *iamcredentials.GenerateAccessTokenRequest) (*iamcredentials.GenerateAccessTokenResponse, error)
}

IAMCredentialsService provides access to IAM Credentials API token generation.

func NewIAMCredentialsService 

func NewIAMCredentialsService(ctx context.Context, accessToken string) (IAMCredentialsService, error)

NewIAMCredentialsService creates an IAM Credentials service using an access token.

type IAMCredentialsServiceFactory 

type IAMCredentialsServiceFactory func(ctx context.Context, accessToken string) (IAMCredentialsService, error)

IAMCredentialsServiceFactory creates IAM credentials service instances for a token.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.