diff options
-rw-r--r-- | google/iam/credentials/v1/common.proto | 77 | ||||
-rw-r--r-- | google/iam/credentials/v1/iamcredentials.proto | 11 | ||||
-rw-r--r-- | google/iam/credentials/v1/iamcredentials_gapic.yaml | 19 |
3 files changed, 98 insertions, 9 deletions
diff --git a/google/iam/credentials/v1/common.proto b/google/iam/credentials/v1/common.proto index b94f2105e..19997df00 100644 --- a/google/iam/credentials/v1/common.proto +++ b/google/iam/credentials/v1/common.proto @@ -30,8 +30,6 @@ message GenerateAccessTokenRequest { // The resource name of the service account for which the credentials // are requested, in the following format: // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. - // Using `-` as a wildcard for the project will infer the project from - // the account. string name = 1; // The sequence of service accounts in a delegation chain. Each service @@ -71,8 +69,6 @@ message SignBlobRequest { // The resource name of the service account for which the credentials // are requested, in the following format: // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. - // Using `-` as a wildcard for the project will infer the project from - // the account. string name = 1; // The sequence of service accounts in a delegation chain. Each service @@ -102,8 +98,6 @@ message SignJwtRequest { // The resource name of the service account for which the credentials // are requested, in the following format: // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. - // Using `-` as a wildcard for the project will infer the project from - // the account. string name = 1; // The sequence of service accounts in a delegation chain. Each service @@ -133,8 +127,6 @@ message GenerateIdTokenRequest { // The resource name of the service account for which the credentials // are requested, in the following format: // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. - // Using `-` as a wildcard for the project will infer the project from - // the account. string name = 1; // The sequence of service accounts in a delegation chain. Each service @@ -161,3 +153,72 @@ message GenerateIdTokenResponse { // The OpenId Connect ID token. string token = 1; } + +message GenerateIdentityBindingAccessTokenRequest { + // The resource name of the service account for which the credentials + // are requested, in the following format: + // `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. + string name = 1; + + // Code to identify the scopes to be included in the OAuth 2.0 access token. + // See https://developers.google.com/identity/protocols/googlescopes for more + // information. + // At least one value required. + repeated string scope = 2; + + // Required. Input token. + // Must be in JWT format according to + // RFC7523 (https://tools.ietf.org/html/rfc7523) + // and must have 'kid' field in the header. + // Supported signing algorithms: RS256 (RS512, ES256, ES512 coming soon). + // Mandatory payload fields (along the lines of RFC 7523, section 3): + // - iss: issuer of the token. Must provide a discovery document at + // $iss/.well-known/openid-configuration . The document needs to be + // formatted according to section 4.2 of the OpenID Connect Discovery + // 1.0 specification. + // - iat: Issue time in seconds since epoch. Must be in the past. + // - exp: Expiration time in seconds since epoch. Must be less than 48 hours + // after iat. We recommend to create tokens that last shorter than 6 + // hours to improve security unless business reasons mandate longer + // expiration times. Shorter token lifetimes are generally more secure + // since tokens that have been exfiltrated by attackers can be used for + // a shorter time. you can configure the maximum lifetime of the + // incoming token in the configuration of the mapper. + // The resulting Google token will expire within an hour or at "exp", + // whichever is earlier. + // - sub: JWT subject, identity asserted in the JWT. + // - aud: Configured in the mapper policy. By default the service account + // email. + // + // Claims from the incoming token can be transferred into the output token + // accoding to the mapper configuration. The outgoing claim size is limited. + // Outgoing claims size must be less than 4kB serialized as JSON without + // whitespace. + // + // Example header: + // { + // "alg": "RS256", + // "kid": "92a4265e14ab04d4d228a48d10d4ca31610936f8" + // } + // Example payload: + // { + // "iss": "https://accounts.google.com", + // "iat": 1517963104, + // "exp": 1517966704, + // "aud": "https://iamcredentials.googleapis.com/", + // "sub": "113475438248934895348", + // "my_claims": { + // "additional_claim": "value" + // } + // } + string jwt = 3; +} + +message GenerateIdentityBindingAccessTokenResponse { + // The OAuth 2.0 access token. + string access_token = 1; + + // Token expiration time. + // The expiration time is always set. + google.protobuf.Timestamp expire_time = 2; +} diff --git a/google/iam/credentials/v1/iamcredentials.proto b/google/iam/credentials/v1/iamcredentials.proto index 993bf5f68..4960d7203 100644 --- a/google/iam/credentials/v1/iamcredentials.proto +++ b/google/iam/credentials/v1/iamcredentials.proto @@ -64,4 +64,15 @@ service IAMCredentials { body: "*" }; } + + // Exchange a JWT signed by third party identity provider to an OAuth 2.0 + // access token + rpc GenerateIdentityBindingAccessToken( + GenerateIdentityBindingAccessTokenRequest) + returns (GenerateIdentityBindingAccessTokenResponse) { + option (google.api.http) = { + post: "/v1/{name=projects/*/serviceAccounts/*}:generateIdentityBindingAccessToken" + body: "*" + }; + } } diff --git a/google/iam/credentials/v1/iamcredentials_gapic.yaml b/google/iam/credentials/v1/iamcredentials_gapic.yaml index f9198fcfb..941dd64ec 100644 --- a/google/iam/credentials/v1/iamcredentials_gapic.yaml +++ b/google/iam/credentials/v1/iamcredentials_gapic.yaml @@ -123,4 +123,21 @@ interfaces: retry_params_name: default field_name_patterns: name: service_account - timeout_millis: 60000
\ No newline at end of file + timeout_millis: 60000 + - name: GenerateIdentityBindingAccessToken + flattening: + groups: + - parameters: + - name + - scope + - jwt + required_fields: + - name + - scope + - jwt + request_object_method: true + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: service_account + timeout_millis: 60000 |