Closed
Description
Delegate Credentials is basically a way for a user or (more common) service account to impersonate another service account.
DelegateTokenSource allows a TokenSource issued to a user or
service account to impersonate another. The target service account
must grant the orginating principal the "Service Account Token Creator" IAM role:
https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role
suggested usage
principal := "[email protected]"
lifetime := 30 * time.Second
delegates := []string{}
newScopes := []string{storage.ScopeReadOnly}
rootTokenSource, _ := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/iam")
delegatetokenSource, _ := google.DelegateTokenSource(ctx, rootTokenSource, principal, lifetime, delegates, newScopes)
storeageClient, _ = storage.NewClient(ctx, option.WithTokenSource(delegatetokenSource))
itrs := storeageClient.Buckets(ctx, "your_projct")
Ref:
- https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role
- https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials
- https://cloud.google.com/iam/credentials/reference/rest/v1/projects.serviceAccounts/generateAccessToken
--
googleapis/google-cloud-common#266
Metadata
Metadata
Assignees
Labels
No labels