This is a utility library that requests short-lived tokens for GCP Service Accounts. Command line version is also available as a standalone utility tool.
go get -u github.com/GreenVine/gcp-auth-util/auth
Build a TokenRequestOptions
with appropriate settings, then retrieve the token by authenticating with service account credentials.
To request an ID token, provide TargetAudience
and set UseIDToken
to true
:
import "github.com/GreenVine/gcp-auth-util/auth"
options := &auth.TokenRequestOptions{
Audience: "https://oauth2.googleapis.com/token", // Audience for the token
Expires: 3600, // Token expiry (in seconds)
TargetAudience: "https://myapp.example.com", // Target audience for the token
TokenURL: "https://oauth2.googleapis.com/token", // OAuth2 endpoint
UseIDToken: true, // true: request an ID token; false: request an access token
}
To request an access token instead, provide at least one scope and set UseIDToken
to false
:
options := &auth.TokenRequestOptions{
// ...
Scopes: []string{ // List of scopes
"https://www.googleapis.com/auth/userinfo.email",
},
// ...
UseIDToken: false,
}
Then authenticate by a service account and request a token:
// Pass credentials via JSON file
token, err := auth.GetTokenByServiceAccountFile(context.Background(), "/path/to/service-account.json", options)
// Pass credentials via Base64-encoded contents
token, err := auth.GetTokenByServiceAccountFile(context.Background(), []byte("base64-encoded-json-file-contents"), options)
// Print the token
fmt.Println(token.AccessToken)
Build the project with: go build -o gau -ldflags="-s -w"
, where gau
is the resulting binary.
-audience string
Token audience (default "https://oauth2.googleapis.com/token")
-auth-source string
Authentication source: service-account (default "service-account")
-credentials string
Base64-encoded credentials or path to the file
-expires duration
Token expiry (in seconds) (default 1h0m0s)
-scopes value
One or more scopes
-target-audience string
Target audience
-timeout duration
Operation timeout (in seconds) (default 15s)
-token-type string
Token type: id, access
-token-url string
OAuth2 authentication endpoint (default "https://oauth2.googleapis.com/token")
-
Request a 5-min-long ID token, authenticate by JSON file:
gau -credentials /path/to/service-account.json -token-type id -expires 300 -target-audience "https://myapp.example.com"
-
Request an access token, authenticate by Base64-encoded credentials:
gau -credentials "base64-encoded" -token-type access -scopes https://www.googleapis.com/auth/userinfo.email -scopes https://example.com/another-scope
GNU General Public License v3.0 or later
See COPYING to see the full text.