gcpwif

package

v0.5.3-alpha07 Latest Latest Go to latest Published: May 28, 2026 License: MIT Imports: 5 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/stackql/any-sdk

Links

Open Source Insights

Documentation ¶

Overview ¶

Package gcpwif implements Google Cloud Workload Identity Federation: it exchanges a foreign OIDC subject token at Google's STS endpoint (sts.googleapis.com/v1/token) for a Google OAuth2 access token, optionally impersonating a service account via iamcredentials. The exchange is carried out by the canonical golang.org/x/oauth2/google/externalaccount package, so the returned TokenSource caches and auto-refreshes credentials per the standard oauth2 contract.

Index ¶

func TokenSource(ctx context.Context, cfg Config, getSubjectToken func() (string, error), ...) (oauth2.TokenSource, error)
type Config

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func TokenSource ¶

func TokenSource(
	ctx context.Context,
	cfg Config,
	getSubjectToken func() (string, error),
	httpClient *http.Client,
) (oauth2.TokenSource, error)

TokenSource builds an auto-refreshing Google OAuth2 token source backed by an external OIDC subject token. ctx should be long-lived (e.g. background) — it governs refresh fetches, not a single request. httpClient (which may be nil) carries TLS/proxy configuration for both the STS exchange and any service account impersonation call.

Types ¶

type Config ¶

type Config struct {
	// Audience is the full pool-provider resource name, e.g.
	// //iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL/providers/PROVIDER.
	Audience string
	// SubjectTokenType identifies the format of the foreign token. Defaults to
	// urn:ietf:params:oauth:token-type:jwt when empty.
	SubjectTokenType string
	// TokenURL optionally overrides the STS exchange endpoint. Defaults to
	// https://sts.googleapis.com/v1/token (handled by externalaccount).
	TokenURL string
	// Scopes are applied to the resulting Google access token (typically
	// https://www.googleapis.com/auth/cloud-platform).
	Scopes []string
	// ServiceAccountImpersonationURL, when set, exchanges the federated token
	// for an impersonated service-account access token via iamcredentials, e.g.
	// https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SA_EMAIL:generateAccessToken.
	ServiceAccountImpersonationURL string
}

Config describes a GCP Workload Identity Federation exchange.

Source Files ¶

View all Source files

gcpwif.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL