From ff7ef8e7ade7171bce3e4f30ff10a2e9f6c27ca0 Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Tue, 7 Jan 2025 15:53:53 -0700 Subject: [PATCH] fix(auth): fix copy of delegates in impersonate.NewIDTokenCredentials (#11386) fixes: #11379 --- auth/credentials/impersonate/idtoken.go | 3 ++- auth/credentials/internal/impersonate/idtoken.go | 13 ++++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/auth/credentials/impersonate/idtoken.go b/auth/credentials/impersonate/idtoken.go index 1b7671f663a5..6c470822bd51 100644 --- a/auth/credentials/impersonate/idtoken.go +++ b/auth/credentials/impersonate/idtoken.go @@ -117,10 +117,11 @@ func NewIDTokenCredentials(opts *IDTokenOptions) (*auth.Credentials, error) { } universeDomainProvider := resolveUniverseDomainProvider(creds) - delegates := make([]string, len(opts.Delegates)) + var delegates []string for _, v := range opts.Delegates { delegates = append(delegates, internal.FormatIAMServiceAccountResource(v)) } + iamOpts := impersonate.IDTokenIAMOptions{ Client: client, Logger: logger, diff --git a/auth/credentials/internal/impersonate/idtoken.go b/auth/credentials/internal/impersonate/idtoken.go index 864b02cf104c..705462c1615e 100644 --- a/auth/credentials/internal/impersonate/idtoken.go +++ b/auth/credentials/internal/impersonate/idtoken.go @@ -47,9 +47,16 @@ type IDTokenIAMOptions struct { // GenerateIDTokenRequest holds the request to the IAM generateIdToken RPC. type GenerateIDTokenRequest struct { - Audience string `json:"audience"` - IncludeEmail bool `json:"includeEmail"` - Delegates []string `json:"delegates,omitempty"` + Audience string `json:"audience"` + IncludeEmail bool `json:"includeEmail"` + // Delegates are the ordered, fully-qualified resource name for service + // accounts in a delegation chain. Each service account must be granted + // roles/iam.serviceAccountTokenCreator on the next service account in the + // chain. The delegates must have the following format: + // projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard + // character is required; replacing it with a project ID is invalid. + // Optional. + Delegates []string `json:"delegates,omitempty"` } // GenerateIDTokenResponse holds the response from the IAM generateIdToken RPC.