Class: Google::Apis::StsV1beta::GoogleIdentityStsV1betaExchangeTokenRequest

Inherits:

Object

• Object
• Google::Apis::StsV1beta::GoogleIdentityStsV1betaExchangeTokenRequest

Includes:

Core::Hashable, Core::JsonObjectSupport

Defined in:

lib/google/apis/sts_v1beta/classes.rb,
lib/google/apis/sts_v1beta/representations.rb,
lib/google/apis/sts_v1beta/representations.rb

Overview

Request message for ExchangeToken.

Instance Attribute Summary

• #audience ⇒ String

  The full resource name of the identity provider.

• #grant_type ⇒ String

  Required.

• #options ⇒ String

  A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options.

• #requested_token_type ⇒ String

  Required.

• #scope ⇒ String

  The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings.

• #subject_token ⇒ String

  Required.

• #subject_token_type ⇒ String

  Required.

Instance Method Summary

• #initialize(**args) ⇒ GoogleIdentityStsV1betaExchangeTokenRequest constructor

  A new instance of GoogleIdentityStsV1betaExchangeTokenRequest.

• #update!(**args) ⇒ Object

  Update properties of this object.

Constructor Details

#initialize(**args) ⇒ GoogleIdentityStsV1betaExchangeTokenRequest

Returns a new instance of GoogleIdentityStsV1betaExchangeTokenRequest.

# File 'lib/google/apis/sts_v1beta/classes.rb', line 404

def initialize(**args)
   update!(**args)
end

Instance Attribute Details

#audience ⇒ String

The full resource name of the identity provider. For example, //iam. googleapis.com/projects//locations/global/workloadIdentityPools//providers/. Required when exchanging an external credential for a Google access token. Corresponds to the JSON property audience

Returns:

• (String)

# File 'lib/google/apis/sts_v1beta/classes.rb', line 299

def audience
  @audience
end

#grant_type ⇒ String

Required. The grant type. Must be urn:ietf:params:oauth:grant-type:token- exchange, which indicates a token exchange. Corresponds to the JSON property grantType

Returns:

• (String)

# File 'lib/google/apis/sts_v1beta/classes.rb', line 305

def grant_type
  @grant_type
end

#options ⇒ String

A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options. Corresponds to the JSON property options

Returns:

• (String)

# File 'lib/google/apis/sts_v1beta/classes.rb', line 312

def options
  @options
end

#requested_token_type ⇒ String

Required. The type of security token. Must be urn:ietf:params:oauth:token- type:access_token, which indicates an OAuth 2.0 access token. Corresponds to the JSON property requestedTokenType

Returns:

• (String)

# File 'lib/google/apis/sts_v1beta/classes.rb', line 318

def requested_token_type
  @requested_token_type
end

#scope ⇒ String

The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings. Required when exchanging an external credential for a Google access token. Corresponds to the JSON property scope

Returns:

• (String)

# File 'lib/google/apis/sts_v1beta/classes.rb', line 325

def scope
  @scope
end

#subject_token ⇒ String

Required. The input token. This token is either an external credential issued by a workload identity pool provider, or a short-lived access token issued by Google. If the token is an OIDC JWT, it must use the JWT format defined in RFC 7523, and the subject_token_type must be either urn:ietf:params:oauth:token-type:jwt or urn:ietf:params: oauth:token-type:id_token. The following headers are required: - kid: The identifier of the signing key securing the JWT. - alg: The cryptographic algorithm securing the JWT. Must be RS256 or ES256. The following payload fields are required. For more information, see RFC 7523, Section 3: - iss: The issuer of the token. The issuer must provide a discovery document at the URL /.well-known/openid- configuration, where is the value of this field. The document must be formatted according to section 4.2 of the [OIDC 1.0 Discovery specification]( https://openid.net/specs/openid-connect-discovery-1_0.html# ProviderConfigurationResponse). - `iat`: The issue time, in seconds, since the Unix epoch. Must be in the past. - `exp`: The expiration time, in seconds, since the Unix epoch. Must be less than 48 hours after `iat`. Shorter expiration times are more secure. If possible, we recommend setting an expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. - `aud`: For workload identity pools, this must be a value specified in the allowed audiences for the workload identity pool provider, or one of the audiences allowed by default if no audiences were specified. See https://cloud. google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools. providers#oidc Example header: "alg": "RS256", "kid": "us-east-11" Example payload: "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud": "//iam.googleapis.com/projects/1234567890123/ locations/global/workloadIdentityPools/my-pool/providers/my-provider", "sub": " 113475438248934895348", "my_claims": "additional_claim": "value" `If subject_tokenis for AWS, it must be a serializedGetCallerIdentitytoken. This token contains the same information as a request to the AWS [ GetCallerIdentity()](https://docs.aws.amazon.com/STS/latest/APIReference/ API_GetCallerIdentity) method, as well as the AWS [signature](https://docs.aws. amazon.com/general/latest/gr/signing_aws_api_requests.html) for the request information. Use Signature Version 4. Format the request as URL-encoded JSON, and set thesubject_token_typeparameter tourn:ietf:params:aws:token-type: aws4_request. The following parameters are required: -url: The URL of the AWS STS endpoint forGetCallerIdentity(), such ashttps://sts.amazonaws.com? Action=GetCallerIdentity&Version=2011-06-15. Regional endpoints are also supported. -method: The HTTP request method:POST. -headers: The HTTP request headers, which must include: -Authorization`: The request signature.

• x-amz-date: The time you will send the request, formatted as an ISO8601 Basic string. This value is typically set to the current time and is used to help prevent replay attacks. - host: The hostname of the url field; for example, sts.amazonaws.com. - x-goog-cloud-target-resource: The full, canonical resource name of the workload identity pool provider, with or without an https: prefix. To help ensure data integrity, we recommend including this header in the SignedHeaders field of the signed request. For example: //iam.googleapis.com/projects//locations/global/workloadIdentityPools/ /providers/ https://iam.googleapis.com/projects//locations/global/ workloadIdentityPools//providers/ If you are using temporary security credentials provided by AWS, you must also include the header x-amz-security- token, with the value set to the session token. The following example shows a GetCallerIdentity token: ` "headers": [ `"key": "x-amz-date", "value": " 20200815T015049Z"`, `"key": "Authorization", "value": "AWS4-HMAC-SHA256+ Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target- resource,+Signature=$signature"`, `"key": "x-goog-cloud-target-resource", " value": "//iam.googleapis.com/projects//locations/global/workloadIdentityPools/ /providers/"`, `"key": "host", "value": "sts.amazonaws.com"` . ], "method": " POST", "url": "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011- 06-15" ` You can also use a Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes applied, such as a Credential Access Boundary. In this case, set subject_token_type to urn: ietf:params:oauth:token-type:access_token. If an access token already contains security attributes, you cannot apply additional security attributes. Corresponds to the JSON property subjectToken

Returns:

• (String)

# File 'lib/google/apis/sts_v1beta/classes.rb', line 394

def subject_token
  @subject_token
end

#subject_token_type ⇒ String

Required. An identifier that indicates the type of the security token in the subject_token parameter. Supported values are urn:ietf:params:oauth:token- type:jwt, urn:ietf:params:oauth:token-type:id_token, urn:ietf:params:aws: token-type:aws4_request, and urn:ietf:params:oauth:token-type:access_token. Corresponds to the JSON property subjectTokenType

Returns:

• (String)

# File 'lib/google/apis/sts_v1beta/classes.rb', line 402

def subject_token_type
  @subject_token_type
end

Instance Method Details

#update!(**args) ⇒ Object

Update properties of this object

# File 'lib/google/apis/sts_v1beta/classes.rb', line 409

def update!(**args)
  @audience = args[:audience] if args.key?(:audience)
  @grant_type = args[:grant_type] if args.key?(:grant_type)
  @options = args[:options] if args.key?(:options)
  @requested_token_type = args[:requested_token_type] if args.key?(:requested_token_type)
  @scope = args[:scope] if args.key?(:scope)
  @subject_token = args[:subject_token] if args.key?(:subject_token)
  @subject_token_type = args[:subject_token_type] if args.key?(:subject_token_type)
end