Class: Google::Apis::StsV1beta::GoogleIdentityStsV1betaExchangeTokenRequest

Inherits:
Object
  • Object
show all
Includes:
Core::Hashable, Core::JsonObjectSupport
Defined in:
generated/google/apis/sts_v1beta/classes.rb,
generated/google/apis/sts_v1beta/representations.rb,
generated/google/apis/sts_v1beta/representations.rb

Overview

Request message for ExchangeToken.

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(**args) ⇒ GoogleIdentityStsV1betaExchangeTokenRequest

Returns a new instance of GoogleIdentityStsV1betaExchangeTokenRequest.



129
130
131
# File 'generated/google/apis/sts_v1beta/classes.rb', line 129

def initialize(**args)
   update!(**args)
end

Instance Attribute Details

#audienceString

The full resource name of the identity provider. For example, //iam. googleapis.com/projects//workloadIdentityPools//providers/. Required when exchanging an external credential for a Google access token. Corresponds to the JSON property audience

Returns:

  • (String)


34
35
36
# File 'generated/google/apis/sts_v1beta/classes.rb', line 34

def audience
  @audience
end

#grant_typeString

Required. The grant type. Must be urn:ietf:params:oauth:grant-type:token- exchange, which indicates a token exchange. Corresponds to the JSON property grantType

Returns:

  • (String)


40
41
42
# File 'generated/google/apis/sts_v1beta/classes.rb', line 40

def grant_type
  @grant_type
end

#optionsString

A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options. Corresponds to the JSON property options

Returns:

  • (String)


47
48
49
# File 'generated/google/apis/sts_v1beta/classes.rb', line 47

def options
  @options
end

#requested_token_typeString

Required. The type of security token. Must be urn:ietf:params:oauth:token- type:access_token, which indicates an OAuth 2.0 access token. Corresponds to the JSON property requestedTokenType

Returns:

  • (String)


53
54
55
# File 'generated/google/apis/sts_v1beta/classes.rb', line 53

def requested_token_type
  @requested_token_type
end

#scopeString

The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings. Required when exchanging an external credential for a Google access token. Corresponds to the JSON property scope

Returns:

  • (String)


60
61
62
# File 'generated/google/apis/sts_v1beta/classes.rb', line 60

def scope
  @scope
end

#subject_tokenString

Required. The input token. This token is a either an external credential issued by a workload identity pool provider, or a short-lived access token issued by Google. If the token is an OIDC JWT, it must use the JWT format defined in RFC 7523, and the subject_token_type must be urn:ietf:params:oauth:token-type:jwt. The following headers are required: - kid: The identifier of the signing key securing the JWT. - alg: The cryptographic algorithm securing the JWT. Must be RS256. The following payload fields are required. For more information, see RFC 7523, Section 3: - iss: The issuer of the token. The issuer must provide a discovery document at the URL /.well-known/openid-configuration, where is the value of this field. The document must be formatted according to section 4.2 of the [OIDC 1. 0 Discovery specification](https://openid.net/specs/openid-connect-discovery- 1_0.html#ProviderConfigurationResponse). - `iat`: The issue time, in seconds, since the Unix epoch. Must be in the past. - `exp`: The expiration time, in seconds, since the Unix epoch. Must be less than 48 hours after `iat`. Shorter expiration times are more secure. If possible, we recommend setting an expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. - `aud`: Configured by the mapper policy. The default value is the service account's unique ID. Example header: "alg": "RS256", "kid": "us-east-11" Example payload: "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud": "113475438248934895348", "sub": " 113475438248934895348", "my_claims": "additional_claim": "value" `If subject_tokenis an AWS token, it must be a serialized, [signed](https://docs. aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) request to the AWS [GetCallerIdentity()](https://docs.aws.amazon.com/STS/latest/ APIReference/API_GetCallerIdentity) method. Format the request as URL-encoded JSON, and set thesubject_token_typeparameter tourn:ietf:params:aws:token- type:aws4_request. The following parameters are required: -url: The URL of the AWS STS endpoint forGetCallerIdentity(), such ashttps://sts.amazonaws. com?Action=GetCallerIdentity&Version=2011-06-15. Regional endpoints are also supported. -method: The HTTP request method:POST. -headers: The HTTP request headers, which must include: -Authorization`: The request signature.

  • x-amz-date: The time you will send the request, formatted as an ISO8601 Basic string. This is typically set to the current time and used to prevent replay attacks. - host: The hostname of the url field; for example, sts.amazonaws.com. - x-goog-cloud-target-resource: The full, canonical resource name of the workload identity pool provider, with or without an https: prefix. To help ensure data integrity, we recommend including this header in the SignedHeaders field of the signed request. For example: //iam.googleapis.com/projects//locations//workloadIdentityPools// providers/ https://iam.googleapis.com/projects//locations// workloadIdentityPools//providers/ If you are using temporary security credentials provided by AWS, you must also include the header x-amz-security- token, with the value . The following example shows a signed, serialized request: "headers":[ "key": "x-amz-date", "value": "20200815T015049Z", "key": "Authorization", "value": "AWS4-HMAC-SHA256+Credential=$credential,+ SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$ signature", "key": "x-goog-cloud-target-resource", "value": "//iam. googleapis.com/projects//locations//workloadIdentityPools//providers/", "key" : "host", "value": "sts.amazonaws.com" . ], "method":"POST", "url":"https:// sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" `You can also use a Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes applied, such as a Credential Access Boundary. In this case, setsubject_token_typetourn:ietf:params:oauth: token-type:access_token. If an access token already contains security attributes, you cannot apply additional security attributes. Corresponds to the JSON propertysubjectToken`

Returns:

  • (String)


122
123
124
# File 'generated/google/apis/sts_v1beta/classes.rb', line 122

def subject_token
  @subject_token
end

#subject_token_typeString

Required. urn:ietf:params:oauth:token-type:access_token. Corresponds to the JSON property subjectTokenType

Returns:

  • (String)


127
128
129
# File 'generated/google/apis/sts_v1beta/classes.rb', line 127

def subject_token_type
  @subject_token_type
end

Instance Method Details

#update!(**args) ⇒ Object

Update properties of this object



134
135
136
137
138
139
140
141
142
# File 'generated/google/apis/sts_v1beta/classes.rb', line 134

def update!(**args)
  @audience = args[:audience] if args.key?(:audience)
  @grant_type = args[:grant_type] if args.key?(:grant_type)
  @options = args[:options] if args.key?(:options)
  @requested_token_type = args[:requested_token_type] if args.key?(:requested_token_type)
  @scope = args[:scope] if args.key?(:scope)
  @subject_token = args[:subject_token] if args.key?(:subject_token)
  @subject_token_type = args[:subject_token_type] if args.key?(:subject_token_type)
end