Skip to content

Commit

Permalink
feat: [confidentialcomputing] Add a token_type options proto to allow…
Browse files Browse the repository at this point in the history
… for customization of specific token types. Added the first token type option to hold principal tag token options (#5839)

* feat: Add a token_type options proto to allow for customization of specific token types. Added the first token type option to hold principal tag token options

PiperOrigin-RevId: 700050491

Source-Link: googleapis/googleapis@5afbbeb

Source-Link: googleapis/googleapis-gen@856d7ae
Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWNvbmZpZGVudGlhbGNvbXB1dGluZy8uT3dsQm90LnlhbWwiLCJoIjoiODU2ZDdhZWQzZmMyOTA0NTdkYTE1NzQ3M2U5MTk0NmU2ODJjZWQ3YSJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
  • Loading branch information
gcf-owl-bot[bot] and gcf-owl-bot[bot] authored Dec 2, 2024
1 parent 5c17a56 commit 338106a
Show file tree
Hide file tree
Showing 5 changed files with 1,096 additions and 4 deletions.
4 changes: 2 additions & 2 deletions packages/google-cloud-confidentialcomputing/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ Google APIs Client Libraries, in [Client Libraries Explained][explained].
1. [Select or create a Cloud Platform project][projects].
1. [Enable billing for your project][billing].
1. [Enable the Confidential Computing API API][enable_api].
1. [Set up authentication with a service account][auth] so you can access the
1. [Set up authentication][auth] so you can access the
API from your local workstation.

### Installing the client library
Expand Down Expand Up @@ -179,4 +179,4 @@ See [LICENSE](https://github.com/googleapis/google-cloud-node/blob/main/LICENSE)
[projects]: https://console.cloud.google.com/project
[billing]: https://support.google.com/cloud/answer/6293499#enable-billing
[enable_api]: https://console.cloud.google.com/flows/enableapi?apiid=confidentialcomputing.googleapis.com
[auth]: https://cloud.google.com/docs/authentication/getting-started
[auth]: https://cloud.google.com/docs/authentication/external/set-up-adc-local
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,9 @@ enum TokenType {

// Limited claim token type for AWS integration
TOKEN_TYPE_LIMITED_AWS = 3;

// Principal-tag-based token for AWS integration
TOKEN_TYPE_AWS_PRINCIPALTAGS = 4;
}

// A Challenge from the server used to guarantee freshness of attestations
Expand Down Expand Up @@ -227,6 +230,37 @@ message GcpCredentials {

// Options to modify claims in the token to generate custom-purpose tokens.
message TokenOptions {
// Token options that only apply to the AWS Principal Tags token type.
message AwsPrincipalTagsOptions {
// Allowed principal tags is used to define what principal tags will be
// placed in the token.
message AllowedPrincipalTags {
// Allowed Container Image Signatures. Key IDs are required to allow this
// claim to fit within the narrow AWS IAM restrictions.
message ContainerImageSignatures {
// Optional. List of key ids to filter into the Principal tags. Only
// keys that have been validated and added to the token will be filtered
// into principal tags. Unrecognized key ids will be ignored.
repeated string key_ids = 1 [(google.api.field_behavior) = OPTIONAL];
}

// Optional. Container image signatures allowed in the token.
ContainerImageSignatures container_image_signatures = 1
[(google.api.field_behavior) = OPTIONAL];
}

// Optional. Principal tags to allow in the token.
AllowedPrincipalTags allowed_principal_tags = 1
[(google.api.field_behavior) = OPTIONAL];
}

// An optional additional configuration per token type.
oneof token_type_options {
// Optional. Options for the Limited AWS token type.
AwsPrincipalTagsOptions aws_principal_tags_options = 4
[(google.api.field_behavior) = OPTIONAL];
}

// Optional. Optional string to issue the token with a custom audience claim.
// Required if one or more nonces are specified.
string audience = 1 [(google.api.field_behavior) = OPTIONAL];
Expand Down
Loading

0 comments on commit 338106a

Please sign in to comment.