class ExecutableSource implements ExternalAccountCredentialSourceInterface (View source)

ExecutableSource enables the exchange of workload identity pool external credentials for Google access tokens by retrieving 3rd party tokens through a user supplied executable. These scripts/executables are completely independent of the Google Cloud Auth libraries. These credentials plug into ADC and will call the specified executable to retrieve the 3rd party token to be exchanged for a Google access token.

To use these credentials, the GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES environment variable must be set to '1'. This is for security reasons.

Both OIDC and SAML are supported. The executable must adhere to a specific response format defined below.

The executable must print out the 3rd party token to STDOUT in JSON format. When an output_file is specified in the credential configuration, the executable must also handle writing the JSON response to this file.

OIDC response sample:
{
  "version": 1,
  "success": true,
  "token_type": "urn:ietf:params:oauth:token-type:id_token",
  "id_token": "HEADER.PAYLOAD.SIGNATURE",
  "expiration_time": 1620433341
}

SAML2 response sample:
{
  "version": 1,
  "success": true,
  "token_type": "urn:ietf:params:oauth:token-type:saml2",
  "saml_response": "...",
  "expiration_time": 1620433341
}

Error response sample:
{
  "version": 1,
  "success": false,
  "code": "401",
  "message": "Error message."
}

The "expiration_time" field in the JSON response is only required for successful responses when an output file was specified in the credential configuration

The auth libraries will populate certain environment variables that will be accessible by the executable, such as: GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE, GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE, GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE, GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL, and GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE.

Constants

private GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES

private SAML_SUBJECT_TOKEN_TYPE

private OIDC_SUBJECT_TOKEN_TYPE1

private OIDC_SUBJECT_TOKEN_TYPE2

Methods

__construct(string $command, string|null $outputFile, ExecutableHandler|null $executableHandler = null)

No description

string|null
getCacheKey()

Gets the unique key for caching The format for the cache key is: Command.OutputFile

string
fetchSubjectToken(callable|null $httpHandler = null)

No description

Details

__construct(string $command, string|null $outputFile, ExecutableHandler|null $executableHandler = null)

No description

Parameters

string $command

The string command to run to get the subject token.

string|null $outputFile
ExecutableHandler|null $executableHandler

string|null getCacheKey()

Gets the unique key for caching The format for the cache key is: Command.OutputFile

Return Value

string|null

string fetchSubjectToken(callable|null $httpHandler = null)

No description

Parameters

callable|null $httpHandler

Return Value

string

Exceptions

RuntimeException
ExecutableResponseError