service_account.go raw

   1  package credentials
   2  
   3  import (
   4  	"fmt"
   5  
   6  	"github.com/pkg/errors"
   7  
   8  	"github.com/yandex-cloud/go-sdk/v2/pkg/iamkey"
   9  )
  10  
  11  // ServiceAccountKey returns credentials for the given IAM Key. The key is used to sign JWT tokens.
  12  // JWT tokens are exchanged for IAM Tokens used to authorize API calls.
  13  // This authorization method is not supported for IAM Keys issued for User Accounts.
  14  func ServiceAccountKey(key *iamkey.Key) (ExchangeableCredentials, error) {
  15  	jwtBuilder, err := newServiceAccountJWTBuilder(key)
  16  	if err != nil {
  17  		return nil, err
  18  	}
  19  
  20  	return exchangeableCredentialsFunc(func() (*CredentialsTokenRequest, error) {
  21  		signedJWT, err := jwtBuilder.SignedToken()
  22  		if err != nil {
  23  			return nil, fmt.Errorf("JWT sign failed : %w", err)
  24  		}
  25  		return &CredentialsTokenRequest{
  26  			Token:    signedJWT,
  27  			Identity: CredentialsIdentityJWT,
  28  		}, nil
  29  	}), nil
  30  }
  31  
  32  // ServiceAccountKeyFile creates Credentials using a service account key file specified by the keyFilePath.
  33  // It reads and parses the key file to build exchangeable credentials for API authorization.
  34  func ServiceAccountKeyFile(keyFilePath string) (Credentials, error) {
  35  	key, err := iamkey.ReadFromJSONFile(keyFilePath)
  36  	if err != nil {
  37  		return nil, errors.WithMessage(err, fmt.Sprintf("Failed to load service account key from %s", keyFilePath))
  38  	}
  39  
  40  	return ServiceAccountKey(key)
  41  }
  42