google/externalaccount: add support for workforce pool credentials

Ryan Kohler · Ryan Kohler · commit 7969d9bbda87 · 2021-09-30T13:35:18.000-07:00
diff --git a/google/google.go b/google/google.go
@@ -123,6 +123,7 @@ type credentialsFile struct {
 	ServiceAccountImpersonationURL string                           `json:"service_account_impersonation_url"`
 	CredentialSource               externalaccount.CredentialSource `json:"credential_source"`
 	QuotaProjectID                 string                           `json:"quota_project_id"`
+	WorkforcePoolUserProject 			 string														`json:"workforce_pool_user_project"`
 }
 
 func (f *credentialsFile) jwtConfig(scopes []string, subject string) *jwt.Config {
@@ -176,6 +177,7 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar
 			CredentialSource:               f.CredentialSource,
 			QuotaProjectID:                 f.QuotaProjectID,
 			Scopes:                         params.Scopes,
+			WorkforcePoolUserProject:				f.WorkforcePoolUserProject,
 		}
 		return cfg.TokenSource(ctx)
 	case "":
diff --git a/google/internal/externalaccount/basecredentials.go b/google/internal/externalaccount/basecredentials.go
@@ -53,6 +53,11 @@ type Config struct {
 	QuotaProjectID string
 	// Scopes contains the desired scopes for the returned access token.
 	Scopes []string
+	// The optional workforce pool user project number when the credential
+	// corresponds to a workforce pool and not a workload identity pool.
+	// The underlying principal must still have serviceusage.services.use IAM
+	// permission to use the project for billing/quota.
+	WorkforcePoolUserProject string
 }
 
 // Each element consists of a list of patterns.  validateURLs checks for matches
@@ -224,7 +229,13 @@ func (ts tokenSource) Token() (*oauth2.Token, error) {
 		ClientID:     conf.ClientID,
 		ClientSecret: conf.ClientSecret,
 	}
-	stsResp, err := exchangeToken(ts.ctx, conf.TokenURL, &stsRequest, clientAuth, header, nil)
+	var options map[string]string
+	if (ts.Config.WorkforcePoolUserProject != "") {
+		options = map[string]string{
+			"userProject": ts.Config.WorkforcePoolUserProject,
+		}
+	}
+	stsResp, err := exchangeToken(ts.ctx, conf.TokenURL, &stsRequest, clientAuth, header, options)
 	if err != nil {
 		return nil, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,7 @@ type credentialsFile struct {`
`123`	`123`	ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
`124`	`124`	CredentialSource externalaccount.CredentialSource `json:"credential_source"`
`125`	`125`	QuotaProjectID string `json:"quota_project_id"`
	`126`	+ WorkforcePoolUserProject string `json:"workforce_pool_user_project"`
`126`	`127`	`}`
`127`	`128`
`128`	`129`	`func (f credentialsFile) jwtConfig(scopes []string, subject string) jwt.Config {`
`@@ -176,6 +177,7 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar`
`176`	`177`	`CredentialSource: f.CredentialSource,`
`177`	`178`	`QuotaProjectID: f.QuotaProjectID,`
`178`	`179`	`Scopes: params.Scopes,`
	`180`	`+ WorkforcePoolUserProject: f.WorkforcePoolUserProject,`
`179`	`181`	`}`
`180`	`182`	`return cfg.TokenSource(ctx)`
`181`	`183`	`case "":`