Class: Google::Apis::StsV1::GoogleIdentityStsV1ExchangeTokenRequest

Inherits:

Object

• Object
• Google::Apis::StsV1::GoogleIdentityStsV1ExchangeTokenRequest

Includes:

Core::Hashable, Core::JsonObjectSupport

Defined in:

lib/google/apis/sts_v1/classes.rb,
lib/google/apis/sts_v1/representations.rb,
lib/google/apis/sts_v1/representations.rb

Overview

Request message for ExchangeToken.

Instance Attribute Summary

• #audience ⇒ String

  The full resource name of the identity provider; for example: `//iam.

• #grant_type ⇒ String

  Required.

• #options ⇒ String

  A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options.

• #requested_token_type ⇒ String

  Required.

• #scope ⇒ String

  The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings.

• #subject_token ⇒ String

  Required.

• #subject_token_type ⇒ String

  Required.

Instance Method Summary

• #initialize(**args) ⇒ GoogleIdentityStsV1ExchangeTokenRequest constructor

  A new instance of GoogleIdentityStsV1ExchangeTokenRequest.

• #update!(**args) ⇒ Object

  Update properties of this object.

Constructor Details

#initialize(**args) ⇒ GoogleIdentityStsV1ExchangeTokenRequest

Returns a new instance of GoogleIdentityStsV1ExchangeTokenRequest.

# File 'lib/google/apis/sts_v1/classes.rb', line 139

def initialize(**args)
   update!(**args)
end

Instance Attribute Details

#audience ⇒ String

The full resource name of the identity provider; for example: //iam. googleapis.com/projects//workloadIdentityPools//providers/. Required when exchanging an external credential for a Google access token. Corresponds to the JSON property audience

Returns:

• (String)

# File 'lib/google/apis/sts_v1/classes.rb', line 34

def audience
  @audience
end

#grant_type ⇒ String

Required. The grant type. Must be urn:ietf:params:oauth:grant-type:token- exchange, which indicates a token exchange. Corresponds to the JSON property grantType

Returns:

• (String)

# File 'lib/google/apis/sts_v1/classes.rb', line 40

def grant_type
  @grant_type
end

#options ⇒ String

A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options. Corresponds to the JSON property options

Returns:

• (String)

# File 'lib/google/apis/sts_v1/classes.rb', line 47

def options
  @options
end

#requested_token_type ⇒ String

Required. An identifier for the type of requested security token. Must be urn: ietf:params:oauth:token-type:access_token. Corresponds to the JSON property requestedTokenType

Returns:

• (String)

# File 'lib/google/apis/sts_v1/classes.rb', line 53

def requested_token_type
  @requested_token_type
end

#scope ⇒ String

The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings. Required when exchanging an external credential for a Google access token. Corresponds to the JSON property scope

Returns:

• (String)

# File 'lib/google/apis/sts_v1/classes.rb', line 60

def scope
  @scope
end

#subject_token ⇒ String

Required. The input token. This token is a either an external credential issued by a workload identity pool provider, or a short-lived access token issued by Google. If the token is an OIDC JWT, it must use the JWT format defined in RFC 7523, and the subject_token_type must be urn:ietf:params:oauth:token-type:jwt. The following headers are required: - kid: The identifier of the signing key securing the JWT. - alg: The cryptographic algorithm securing the JWT. Must be RS256 or ES256. The following payload fields are required. For more information, see RFC 7523, Section 3: - iss: The issuer of the token. The issuer must provide a discovery document at the URL /.well-known/openid-configuration, where is the value of this field. The document must be formatted according to section 4. 2 of the [OIDC 1.0 Discovery specification](https://openid.net/specs/openid- connect-discovery-1_0.html#ProviderConfigurationResponse). - `iat`: The issue time, in seconds, since the Unix epoch. Must be in the past. - `exp`: The expiration time, in seconds, since the Unix epoch. Must be less than 48 hours after `iat`. Shorter expiration times are more secure. If possible, we recommend setting an expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. - `aud`: For workload identity pools, this must be a value specified in the allowed audiences for the workload identity pool provider, or one of the audiences allowed by default if no audiences were specified. See https://cloud.google.com/iam/docs/reference/rest/v1/projects. locations.workloadIdentityPools.providers#oidc Example header: "alg": " RS256", "kid": "us-east-11" Example payload: "iss": "https:// accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud": "//iam. googleapis.com/projects/1234567890123/locations/global/workloadIdentityPools/ my-pool/providers/my-provider", "sub": "113475438248934895348", "my_claims": "additional_claim": "value" If `subject_token` is for AWS, it must be a serialized `GetCallerIdentity` token. This token contains the same information as a request to the AWS [`GetCallerIdentity()`](https://docs.aws. amazon.com/STS/latest/APIReference/API_GetCallerIdentity) method, as well as the AWS [signature](https://docs.aws.amazon.com/general/latest/gr/ signing_aws_api_requests.html) for the request information. Use Signature Version 4. Format the request as URL-encoded JSON, and set the ` subject_token_type` parameter to `urn:ietf:params:aws:token-type:aws4_request`. The following parameters are required: - `url`: The URL of the AWS STS endpoint for `GetCallerIdentity()`, such as `https://sts.amazonaws.com?Action= GetCallerIdentity&Version=2011-06-15`. Regional endpoints are also supported. - `method`: The HTTP request method: `POST`. - `headers`: The HTTP request headers, which must include: - `Authorization`: The request signature. - `x- amz-date`: The time you will send the request, formatted as an [ISO8601 Basic]( https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html# sigv4_elements_date) string. This value is typically set to the current time and is used to help prevent replay attacks. - `host`: The hostname of the `url` field; for example, `sts.amazonaws.com`. - `x-goog-cloud-target-resource`: The full, canonical resource name of the workload identity pool provider, with or without an `https:` prefix. To help ensure data integrity, we recommend including this header in the `SignedHeaders` field of the signed request. For example: //iam.googleapis.com/projects//locations//workloadIdentityPools// providers/ https://iam.googleapis.com/projects//locations// workloadIdentityPools//providers/ If you are using temporary security credentials provided by AWS, you must also include the header `x-amz-security- token`, with the value set to the session token. The following example shows a `GetCallerIdentity` token: "headers": [ "key": "x-amz-date", "value": " 20200815T015049Z", "key": "Authorization", "value": "AWS4-HMAC-SHA256+ Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target- resource,+Signature=$signature", "key": "x-goog-cloud-target-resource", " value": "//iam.googleapis.com/projects//locations//workloadIdentityPools// providers/", "key": "host", "value": "sts.amazonaws.com" . ], "method": " POST", "url": "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011- 06-15" `You can also use a Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes applied, such as a Credential Access Boundary. In this case, setsubject_token_typetourn: ietf:params:oauth:token-type:access_token. If an access token already contains security attributes, you cannot apply additional security attributes. Corresponds to the JSON propertysubjectToken`

Returns:

• (String)

# File 'lib/google/apis/sts_v1/classes.rb', line 129

def subject_token
  @subject_token
end

#subject_token_type ⇒ String

Required. An identifier that indicates the type of the security token in the subject_token parameter. Supported values are urn:ietf:params:oauth:token- type:jwt, urn:ietf:params:aws:token-type:aws4_request, and urn:ietf:params: oauth:token-type:access_token. Corresponds to the JSON property subjectTokenType

Returns:

• (String)

# File 'lib/google/apis/sts_v1/classes.rb', line 137

def subject_token_type
  @subject_token_type
end

Instance Method Details

#update!(**args) ⇒ Object

Update properties of this object

# File 'lib/google/apis/sts_v1/classes.rb', line 144

def update!(**args)
  @audience = args[:audience] if args.key?(:audience)
  @grant_type = args[:grant_type] if args.key?(:grant_type)
  @options = args[:options] if args.key?(:options)
  @requested_token_type = args[:requested_token_type] if args.key?(:requested_token_type)
  @scope = args[:scope] if args.key?(:scope)
  @subject_token = args[:subject_token] if args.key?(:subject_token)
  @subject_token_type = args[:subject_token_type] if args.key?(:subject_token_type)
end