feat: create impersonated service credentials #499
Conversation
viacheslav-rostovtsev
force-pushed
the
dev/virost/impersonated_creds
branch
3 times, most recently
from
743091e to
2ed3089
Compare
|
|
||
| describe "duplicates" do | ||
| before :example do | ||
| Google::Cloud.env.compute_smbios.override_product_name = "Google Compute Engine" |
There was a problem hiding this comment.
Should probably undo this in an after clause, so it doesn't affect other tests.
| # and then that claim is exchanged for a short-lived token at an IAMCredentials endpoint. | ||
| # The short-lived token and its expiration time are cached. | ||
| class ImpersonatedServiceAccountCredentials | ||
| ERROR_SUFFIX = <<~ERROR.freeze |
There was a problem hiding this comment.
Mark this # @private so it's not part of the public interface
| from IAM Credentials endpoint using the credentials provided. | ||
| ERROR | ||
|
|
||
| IAM_SCOPE = ["https://www.googleapis.com/auth/iam".freeze].freeze |
| include Google::Auth::BaseClient | ||
| include Helpers::Connection | ||
|
|
||
| attr_reader :base_credentials |
There was a problem hiding this comment.
Each of these should have YARD documentation.
| new options | ||
| end | ||
|
|
||
| def initialize options = {} |
There was a problem hiding this comment.
Either document this or mark it # @private.
| # to fetch short-lived impersionation access token | ||
| # @param impersonation_url [String] the URL to use to impersonate the service account. | ||
| # This URL should be in the format: | ||
| # https://iamcredentials.{universe_domain}/v1/projects/-/serviceAccounts/{source_sa_email}:generateAccessToken |
There was a problem hiding this comment.
Put backticks around the URL format string, otherwise YARD will try to linkify it.
| # This URL should be in the format: | ||
| # https://iamcredentials.{universe_domain}/v1/projects/-/serviceAccounts/{source_sa_email}:generateAccessToken | ||
| # where: | ||
| # * {universe_domain} is the domain of the IAMCredentials API endpoint (e.g. 'googleapis.com') |
There was a problem hiding this comment.
Put backticks around anything with literal curly braces, since it is a linkification syntax for YARD.
| # and request short-lived credentials for a service account | ||
| # that has the authorization that your use case requires. | ||
| # | ||
| # @param base_credentials [Object] the authenticated principal that will be used |
There was a problem hiding this comment.
Are these parameters required? (Seems like they are.) If so, can you note that in the documentation, and also put some checks in the constructor to fail fast if they are not provided?
viacheslav-rostovtsev
force-pushed
the
dev/virost/impersonated_creds
branch
from
ce48b35 to
29e3873
Compare
viacheslav-rostovtsev
added
the
do not merge
|
Do not merge: the case where the source credentials are wrapped in the Google::Auth::Credentials is not covered |
feat: create impersonated service credentials
feat: add duplication mechanism to various credentials to support "re-scoping" them for IAM requests