credentials

package
v2.56.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 16, 2026 License: MIT Imports: 20 Imported by: 4

Documentation

Overview

Package credentials provides functionality for managing authentication and authorization credentials used in SDK operations. It includes interfaces and implementations for handling various types of credentials, such as API keys, tokens, and other authentication mechanisms required for secure access to services.

The package supports different credential providers and allows for secure storage, retrieval, and management of authentication information needed for service requests.

Index

Constants

View Source 
const InstanceMetadataAddr = "169.254.169.254"

InstanceMetadataAddr is address at the metadata server is accessible from inside the virtual machine. See doc for details: https://cloud.yandex.com/docs/compute/operations/vm-info/get-info#inside-instance

View Source 
const InstanceMetadataOverrideEnvVar = "YC_METADATA_ADDR"

InstanceMetadataOverrideEnvVar is a name of environment variable which contains override for a default value

Variables

This section is empty.

Functions

func GetMetadataServiceAddr 

func GetMetadataServiceAddr() string

GetMetadataServiceAddr returns the address of Metadata Service, gets the value from InstanceMetadataOverrideEnvVar env variable if it is set, otherwise uses the default address from InstanceMetadataAddr.

Types

type Credentials 

type Credentials interface {
	// YandexCloudAPICredentials is a marker method. All compatible Credentials implementations have it
	YandexCloudAPICredentials()
}

Credentials is an abstraction of API authorization credentials. See https://cloud.yandex.ru/docs/iam/concepts/authorization/ for details. Note that functions that return Credentials may return different Credentials implementation in next SDK version, and this is not considered breaking change.

func ServiceAccountKeyFile 

func ServiceAccountKeyFile(keyFilePath string) (Credentials, error)

ServiceAccountKeyFile creates Credentials using a service account key file specified by the keyFilePath. It reads and parses the key file to build exchangeable credentials for API authorization.

func UserAccountKeyFile 

func UserAccountKeyFile(keyFilePath string) (Credentials, error)

type CredentialsIdentity 

type CredentialsIdentity int

CredentialsIdentity represents the identity type used for credential-based operations or authentication scenarios. 

const (
	// CredentialsIdentityUnknown represents an unknown credentials identity.
	CredentialsIdentityUnknown CredentialsIdentity = iota
	// CredentialsIdentityYandexPassportOauthToken represents a Yandex Passport OAuth Token identity.
	CredentialsIdentityYandexPassportOauthToken
	// CredentialsIdentityJWT represents a JWT identity.
	CredentialsIdentityJWT
)

type CredentialsToken 

type CredentialsToken struct {
	Token     string
	ExpiresAt time.Time
}

CredentialsToken represents a token with an associated expiration time for authentication purposes.

type CredentialsTokenRequest 

type CredentialsTokenRequest struct {
	Identity CredentialsIdentity
	Token    string
}

CredentialsTokenRequest represents a request containing credentials-related identity and token.

type ExchangeableCredentials 

type ExchangeableCredentials interface {
	Credentials
	// IAMTokenRequest returns request for fresh IAM token or error.
	IAMTokenRequest() (*CredentialsTokenRequest, error)
}

ExchangeableCredentials can be exchanged for IAM Token in IAM Token Service, that can be used to authorize API calls. See https://cloud.yandex.ru/docs/iam/concepts/authorization/iam-token for details.

func OAuthToken deprecated 

func OAuthToken(token string) ExchangeableCredentials

OAuthToken returns API credentials for user Yandex Passport OAuth token, that can be received on page https://oauth.yandex.ru/authorize?response_type=token&client_id=1a6990aa636648e9b2ef855fa7bec2fb See https://cloud.yandex.ru/docs/iam/concepts/authorization/oauth-token for details.

Deprecated: Please consider to use other credential provider. By the end of 2026, the use of oauth tokens in the Yandex cloud will be discontinued.

func ServiceAccountKey 

func ServiceAccountKey(key *iamkey.Key) (ExchangeableCredentials, error)

ServiceAccountKey returns credentials for the given IAM Key. The key is used to sign JWT tokens. JWT tokens are exchanged for IAM Tokens used to authorize API calls. This authorization method is not supported for IAM Keys issued for User Accounts.

func UserAccountKey 

func UserAccountKey(key *iamkey.Key) (ExchangeableCredentials, error)

UserAccountKey returns credentials for the given IAM Key. The key is used to sign JWT tokens. JWT tokens are exchanged for IAM Tokens used to authorize API calls.

WARN: user account keys are not supported, and won't be supported for most users.

type IAMTokenCredentials 

type IAMTokenCredentials struct {
	// contains filtered or unexported fields
}

IAMTokenCredentials implements Credentials with IAM token as-is Read more on https://yandex.cloud/en-ru/docs/iam/concepts/authorization/iam-token

func (*IAMTokenCredentials) IAMToken 

func (creds *IAMTokenCredentials) IAMToken(ctx context.Context) (*CredentialsToken, error)

func (*IAMTokenCredentials) YandexCloudAPICredentials 

func (creds *IAMTokenCredentials) YandexCloudAPICredentials()

type MetadataServiceCredentialProvider 

type MetadataServiceCredentialProvider interface {
	NonExchangeableCredentials

	Addr() string
	Available(ctx context.Context) bool
}

func MetadataService 

func MetadataService() MetadataServiceCredentialProvider

MetadataService returns credentials provider that queries local metadata service for IAM tokens This is currently available on Yandex Cloud Compute Instances instances with a Service Account attached https://yandex.cloud/ru/docs/compute/concepts/vm-metadata

func NewMetadataServiceCredentialProvider 

func NewMetadataServiceCredentialProvider(metadataServiceAddr string) MetadataServiceCredentialProvider

type NoCredentials 

type NoCredentials struct{}

NoCredentials implements Credentials, it allows to create unauthenticated connections

func NoAuthentication 

func NoAuthentication() *NoCredentials

NoAuthentication returns an instance of NoCredentials, allowing the creation of unauthenticated connections. Authentication could be added later via injection of gRPC metadata authorization header

func (*NoCredentials) IAMToken 

func (creds *NoCredentials) IAMToken(ctx context.Context) (*CredentialsToken, error)

IAMToken always returns gRPC error with status UNAUTHENTICATED

func (*NoCredentials) YandexCloudAPICredentials 

func (creds *NoCredentials) YandexCloudAPICredentials()

type NonExchangeableCredentials 

type NonExchangeableCredentials interface {
	Credentials
	// IAMToken returns IAM Token.
	IAMToken(ctx context.Context) (*CredentialsToken, error)
}

NonExchangeableCredentials allows to get IAM Token without calling IAM Token Service.

func IAMToken 

func IAMToken(iamToken string) NonExchangeableCredentials

func InstanceServiceAccount 

func InstanceServiceAccount() NonExchangeableCredentials

InstanceServiceAccount returns credentials for Compute Instance Service Account. That is, for SDK build with InstanceServiceAccount credentials and used on Compute Instance created with yandex.cloud.compute.v1.CreateInstanceRequest.service_account_id, API calls will be authenticated with this ServiceAccount ID. You can override the default address of Metadata Service by setting env variable. https://yandex.cloud/ru/docs/compute/operations/vm-control/vm-connect-sa#cli_1

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.