fix(auth): fix copy of delegates in impersonate.NewIDTokenCredentials (…

…#11386) fixes: #11379
googleapis · Jan 7, 2025 · ff7ef8e · ff7ef8e
1 parent e4e1a49
commit ff7ef8e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/auth/credentials/impersonate/idtoken.go b/auth/credentials/impersonate/idtoken.go
@@ -117,10 +117,11 @@ func NewIDTokenCredentials(opts *IDTokenOptions) (*auth.Credentials, error) {
 	}
 
 	universeDomainProvider := resolveUniverseDomainProvider(creds)
-	delegates := make([]string, len(opts.Delegates))
+	var delegates []string
 	for _, v := range opts.Delegates {
 		delegates = append(delegates, internal.FormatIAMServiceAccountResource(v))
 	}
+
 	iamOpts := impersonate.IDTokenIAMOptions{
 		Client: client,
 		Logger: logger,

diff --git a/auth/credentials/internal/impersonate/idtoken.go b/auth/credentials/internal/impersonate/idtoken.go
@@ -47,9 +47,16 @@ type IDTokenIAMOptions struct {
 
 // GenerateIDTokenRequest holds the request to the IAM generateIdToken RPC.
 type GenerateIDTokenRequest struct {
-	Audience     string   `json:"audience"`
-	IncludeEmail bool     `json:"includeEmail"`
-	Delegates    []string `json:"delegates,omitempty"`
+	Audience     string `json:"audience"`
+	IncludeEmail bool   `json:"includeEmail"`
+	// Delegates are the ordered, fully-qualified resource name for service
+	// accounts in a delegation chain. Each service account must be granted
+	// roles/iam.serviceAccountTokenCreator on the next service account in the
+	// chain. The delegates must have the following format:
+	// projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard
+	// character is required; replacing it with a project ID is invalid.
+	// Optional.
+	Delegates []string `json:"delegates,omitempty"`
 }
 
 // GenerateIDTokenResponse holds the response from the IAM generateIdToken RPC.