Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(common): factory function for external accounts #10465

Merged
merged 1 commit into from
Dec 20, 2022
Merged

feat(common): factory function for external accounts #10465

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions google/cloud/credentials.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,12 @@ std::shared_ptr<Credentials> MakeServiceAccountCredentials(
std::move(json_object), std::move(opts));
}

std::shared_ptr<Credentials> MakeExternalAccountCredentials(
std::string json_object, Options opts) {
return std::make_shared<internal::ExternalAccountConfig>(
std::move(json_object), std::move(opts));
}

GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
} // namespace cloud
} // namespace google
31 changes: 31 additions & 0 deletions google/cloud/credentials.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,37 @@ std::shared_ptr<Credentials> MakeImpersonateServiceAccountCredentials(
std::shared_ptr<Credentials> MakeServiceAccountCredentials(
std::string json_object, Options opts = {});

/**
* Creates credentials based on external accounts.
*
* [Workload Identity Federation] can grant on-premises or multi-cloud workloads
* access to Google Cloud resources, without using a service account key. You
* can use identity federation with Amazon Web Services (AWS), or with any
* identity provider that supports OpenID Connect (OIDC), such as Microsoft
* Azure, or SAML 2.0.
*
* @see https://cloud.google.com/docs/authentication for more information on
* authentication in GCP.
*
* @ingroup guac
*
* @param json_object the external account configuration as a JSON string.
* Typically applications read this from a file, or download the contents
* from something like Google's secret manager service. The configuration
* file can be created using the [create-cred-config] `gcloud` subcommand.
* @param opts optional configuration values. Note that the effect of these
* parameters depends on the underlying transport. For example,
* `TracingComponentsOption` is ignored by gRPC-based services.
*
* [create-cred-config]:
* https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config
* [IAM quotas]: https://cloud.google.com/iam/quotas
* [Workload Identity Federation]:
* https://cloud.google.com/iam/docs/workload-identity-federation
*/
std::shared_ptr<Credentials> MakeExternalAccountCredentials(
std::string json_object, Options opts = {});

/**
* Configure the delegates for `MakeImpersonateServiceAccountCredentials()`
*
Expand Down
2 changes: 1 addition & 1 deletion google/cloud/internal/credentials_impl_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ TEST(Credentials, ServiceAccount) {
}

TEST(Credentials, ExternalAccount) {
auto credentials = std::make_shared<ExternalAccountConfig>(
auto credentials = MakeExternalAccountCredentials(
"test-only-invalid", Options{}.set<ScopesOption>({"scope1", "scope2"}));
Visitor visitor;
CredentialsVisitor::dispatch(*credentials, visitor);
Expand Down