diff options
| author | Jonathan Amsterdam <jba@google.com> | 2020-09-02 10:09:11 -0400 |
|---|---|---|
| committer | Jonathan Amsterdam <jba@google.com> | 2020-09-03 17:02:43 +0000 |
| commit | dec7f62e707e7174bac2447fcd7e5d5fb3da142c (patch) | |
| tree | 939ae2167a98cc711eba509f43a33f493e7fe282 /internal/queue/queue_test.go | |
| parent | 7f21f6396cf17d18a60052bd853c5ef34c0ac8a6 (diff) | |
| download | go-x-pkgsite-dec7f62e707e7174bac2447fcd7e5d5fb3da142c.tar.xz | |
internal/auth: use the idtoken package
The google.golang.org/api/idtoken package is the official way to
create identity tokens for accessing IAP-protected services. Change
internal/auth to use it.
It's now possible to call NewClient or Header with no credentials.
The idtoken package can construct credentials from the application
default, if it is a service account. That will be the case when
running on AppEngine.
What this means is that AppEngine services that need to talk to other
AppEngine services, like the prober, no longer need to get creds in
any special way (like storing the a service account's creds in a
secret, as the prober currently does); they can use their default
credentials for the AppEngine service account. All that is needed is
to grant the AppEngine service account the permission to access other
AppEngine services via the IAP, which has been done on our project.
Calling with credentials behaves as before; the idtoken package does
the same thing that our custom code was doing (more or less).
Other changes:
- Changed the signature of NewClient and Header to take a context.
- Removed the TokenSource method, which was unused.
For b/167586656
Change-Id: I90a5682e5ae59238b5ba00212aa5a057c4222553
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/252837
Reviewed-by: Julie Qiu <julie@golang.org>
Diffstat (limited to 'internal/queue/queue_test.go')
0 files changed, 0 insertions, 0 deletions