docs/dyn/sts_v1beta.v1beta.html - platform/external/python/google-api-python-client - Git at Google

 <html><body>
 <style>

 body, h1, h2, h3, div, span, p, pre, a {
   margin: 0;
   padding: 0;
   border: 0;
   font-weight: inherit;
   font-style: inherit;
   font-size: 100%;
   font-family: inherit;
   vertical-align: baseline;
 }

 body {
   font-size: 13px;
   padding: 1em;
 }

 h1 {
   font-size: 26px;
   margin-bottom: 1em;
 }

 h2 {
   font-size: 24px;
   margin-bottom: 1em;
 }

 h3 {
   font-size: 20px;
   margin-bottom: 1em;
   margin-top: 1em;
 }

 pre, code {
   line-height: 1.5;
   font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
 }

 pre {
   margin-top: 0.5em;
 }

 h1, h2, h3, p {
   font-family: Arial, sans serif;
 }

 h1, h2, h3 {
   border-bottom: solid #CCC 1px;
 }

 .toc_element {
   margin-top: 0.5em;
 }

 .firstline {
   margin-left: 2 em;
 }

 .method  {
   margin-top: 1em;
   border: solid 1px #CCC;
   padding: 1em;
   background: #EEE;
 }

 .details {
   font-weight: bold;
   font-size: 14px;
 }

 </style>

 <h1><a href="sts_v1beta.html">Security Token Service API</a> . <a href="sts_v1beta.v1beta.html">v1beta</a></h1>
 <h2>Instance Methods</h2>
 <p class="toc_element">
   <code><a href="#close">close()</a></code></p>
 <p class="firstline">Close httplib2 connections.</p>
 <p class="toc_element">
   <code><a href="#token">token(body=None, x__xgafv=None)</a></code></p>
 <p class="firstline">Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a Google access token. When you call this method, do not send the `Authorization` HTTP header in the request. This method does not require the `Authorization` header, and using the header can cause the request to fail.</p>
 <h3>Method Details</h3>
 <div class="method">
     <code class="details" id="close">close()</code>
   <pre>Close httplib2 connections.</pre>
 </div>

 <div class="method">
     <code class="details" id="token">token(body=None, x__xgafv=None)</code>
   <pre>Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a Google access token. When you call this method, do not send the `Authorization` HTTP header in the request. This method does not require the `Authorization` header, and using the header can cause the request to fail.

 Args:
   body: object, The request body.
     The object takes the form of:

 { # Request message for ExchangeToken.
   &quot;audience&quot;: &quot;A String&quot;, # The full resource name of the identity provider. For example, `//iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/`. Required when exchanging an external credential for a Google access token.
   &quot;grantType&quot;: &quot;A String&quot;, # Required. The grant type. Must be `urn:ietf:params:oauth:grant-type:token-exchange`, which indicates a token exchange.
   &quot;options&quot;: &quot;A String&quot;, # A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options.
   &quot;requestedTokenType&quot;: &quot;A String&quot;, # Required. The type of security token. Must be `urn:ietf:params:oauth:token-type:access_token`, which indicates an OAuth 2.0 access token.
   &quot;scope&quot;: &quot;A String&quot;, # The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings. Required when exchanging an external credential for a Google access token.
   &quot;subjectToken&quot;: &quot;A String&quot;, # Required. The input token. This token is either an external credential issued by a workload identity pool provider, or a short-lived access token issued by Google. If the token is an OIDC JWT, it must use the JWT format defined in [RFC 7523](https://tools.ietf.org/html/rfc7523), and the `subject_token_type` must be either `urn:ietf:params:oauth:token-type:jwt` or `urn:ietf:params:oauth:token-type:id_token`. The following headers are required: - `kid`: The identifier of the signing key securing the JWT. - `alg`: The cryptographic algorithm securing the JWT. Must be `RS256` or `ES256`. The following payload fields are required. For more information, see [RFC 7523, Section 3](https://tools.ietf.org/html/rfc7523#section-3): - `iss`: The issuer of the token. The issuer must provide a discovery document at the URL `/.well-known/openid-configuration`, where `` is the value of this field. The document must be formatted according to section 4.2 of the [OIDC 1.0 Discovery specification](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). - `iat`: The issue time, in seconds, since the Unix epoch. Must be in the past. - `exp`: The expiration time, in seconds, since the Unix epoch. Must be less than 48 hours after `iat`. Shorter expiration times are more secure. If possible, we recommend setting an expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. - `aud`: For workload identity pools, this must be a value specified in the allowed audiences for the workload identity pool provider, or one of the audiences allowed by default if no audiences were specified. See https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers#oidc Example header: ``` { &quot;alg&quot;: &quot;RS256&quot;, &quot;kid&quot;: &quot;us-east-11&quot; } ``` Example payload: ``` { &quot;iss&quot;: &quot;https://accounts.google.com&quot;, &quot;iat&quot;: 1517963104, &quot;exp&quot;: 1517966704, &quot;aud&quot;: &quot;//iam.googleapis.com/projects/1234567890123/locations/global/workloadIdentityPools/my-pool/providers/my-provider&quot;, &quot;sub&quot;: &quot;113475438248934895348&quot;, &quot;my_claims&quot;: { &quot;additional_claim&quot;: &quot;value&quot; } } ``` If `subject_token` is for AWS, it must be a serialized `GetCallerIdentity` token. This token contains the same information as a request to the AWS [`GetCallerIdentity()`](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity) method, as well as the AWS [signature](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) for the request information. Use Signature Version 4. Format the request as URL-encoded JSON, and set the `subject_token_type` parameter to `urn:ietf:params:aws:token-type:aws4_request`. The following parameters are required: - `url`: The URL of the AWS STS endpoint for `GetCallerIdentity()`, such as `https://sts.amazonaws.com?Action=GetCallerIdentity&amp;Version=2011-06-15`. Regional endpoints are also supported. - `method`: The HTTP request method: `POST`. - `headers`: The HTTP request headers, which must include: - `Authorization`: The request signature. - `x-amz-date`: The time you will send the request, formatted as an [ISO8601 Basic](https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#sigv4_elements_date) string. This value is typically set to the current time and is used to help prevent replay attacks. - `host`: The hostname of the `url` field; for example, `sts.amazonaws.com`. - `x-goog-cloud-target-resource`: The full, canonical resource name of the workload identity pool provider, with or without an `https:` prefix. To help ensure data integrity, we recommend including this header in the `SignedHeaders` field of the signed request. For example: //iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/ If you are using temporary security credentials provided by AWS, you must also include the header `x-amz-security-token`, with the value set to the session token. The following example shows a `GetCallerIdentity` token: ``` { &quot;headers&quot;: [ {&quot;key&quot;: &quot;x-amz-date&quot;, &quot;value&quot;: &quot;20200815T015049Z&quot;}, {&quot;key&quot;: &quot;Authorization&quot;, &quot;value&quot;: &quot;AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$signature&quot;}, {&quot;key&quot;: &quot;x-goog-cloud-target-resource&quot;, &quot;value&quot;: &quot;//iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/&quot;}, {&quot;key&quot;: &quot;host&quot;, &quot;value&quot;: &quot;sts.amazonaws.com&quot;} . ], &quot;method&quot;: &quot;POST&quot;, &quot;url&quot;: &quot;https://sts.amazonaws.com?Action=GetCallerIdentity&amp;Version=2011-06-15&quot; } ``` You can also use a Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes applied, such as a Credential Access Boundary. In this case, set `subject_token_type` to `urn:ietf:params:oauth:token-type:access_token`. If an access token already contains security attributes, you cannot apply additional security attributes.
   &quot;subjectTokenType&quot;: &quot;A String&quot;, # Required. An identifier that indicates the type of the security token in the `subject_token` parameter. Supported values are `urn:ietf:params:oauth:token-type:jwt`, `urn:ietf:params:oauth:token-type:id_token`, `urn:ietf:params:aws:token-type:aws4_request`, and `urn:ietf:params:oauth:token-type:access_token`.
 }

   x__xgafv: string, V1 error format.
     Allowed values
       1 - v1 error format
       2 - v2 error format

 Returns:
   An object of the form:

     { # Response message for ExchangeToken.
   &quot;access_token&quot;: &quot;A String&quot;, # An OAuth 2.0 security token, issued by Google, in response to the token exchange request. Tokens can vary in size, depending in part on the size of mapped claims, up to a maximum of 12288 bytes (12 KB). Google reserves the right to change the token size and the maximum length at any time.
   &quot;expires_in&quot;: 42, # The amount of time, in seconds, between the time when the access token was issued and the time when the access token will expire. This field is absent when the `subject_token` in the request is a Google-issued, short-lived access token. In this case, the access token has the same expiration time as the `subject_token`.
   &quot;issued_token_type&quot;: &quot;A String&quot;, # The token type. Always matches the value of `requested_token_type` from the request.
   &quot;token_type&quot;: &quot;A String&quot;, # The type of access token. Always has the value `Bearer`.
 }</pre>
 </div>

 </body></html>
	<html><body>
	<style>

	body, h1, h2, h3, div, span, p, pre, a {
	margin: 0;
	padding: 0;
	border: 0;
	font-weight: inherit;
	font-style: inherit;
	font-size: 100%;
	font-family: inherit;
	vertical-align: baseline;
	}

	body {
	font-size: 13px;
	padding: 1em;
	}

	h1 {
	font-size: 26px;
	margin-bottom: 1em;
	}

	h2 {
	font-size: 24px;
	margin-bottom: 1em;
	}

	h3 {
	font-size: 20px;
	margin-bottom: 1em;
	margin-top: 1em;
	}

	pre, code {
	line-height: 1.5;
	font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
	}

	pre {
	margin-top: 0.5em;
	}

	h1, h2, h3, p {
	font-family: Arial, sans serif;
	}

	h1, h2, h3 {
	border-bottom: solid #CCC 1px;
	}

	.toc_element {
	margin-top: 0.5em;
	}

	.firstline {
	margin-left: 2 em;
	}

	.method {
	margin-top: 1em;
	border: solid 1px #CCC;
	padding: 1em;
	background: #EEE;
	}

	.details {
	font-weight: bold;
	font-size: 14px;
	}

	</style>

	<h1><a href="sts_v1beta.html">Security Token Service API</a> . <a href="sts_v1beta.v1beta.html">v1beta</a></h1>
	<h2>Instance Methods</h2>
	<p class="toc_element">
	<code><a href="#close">close()</a></code></p>
	<p class="firstline">Close httplib2 connections.</p>
	<p class="toc_element">
	<code><a href="#token">token(body=None, x__xgafv=None)</a></code></p>
	<p class="firstline">Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a Google access token. When you call this method, do not send the `Authorization` HTTP header in the request. This method does not require the `Authorization` header, and using the header can cause the request to fail.</p>
	<h3>Method Details</h3>
	<div class="method">
	<code class="details" id="close">close()</code>
	<pre>Close httplib2 connections.</pre>
	</div>

	<div class="method">
	<code class="details" id="token">token(body=None, x__xgafv=None)</code>
	<pre>Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a Google access token. When you call this method, do not send the `Authorization` HTTP header in the request. This method does not require the `Authorization` header, and using the header can cause the request to fail.

	Args:
	body: object, The request body.
	The object takes the form of:

	{ # Request message for ExchangeToken.
	"audience": "A String", # The full resource name of the identity provider. For example, `//iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/`. Required when exchanging an external credential for a Google access token.
	"grantType": "A String", # Required. The grant type. Must be `urn:ietf:params:oauth:grant-type:token-exchange`, which indicates a token exchange.
	"options": "A String", # A set of features that Security Token Service supports, in addition to the standard OAuth 2.0 token exchange, formatted as a serialized JSON object of Options.
	"requestedTokenType": "A String", # Required. The type of security token. Must be `urn:ietf:params:oauth:token-type:access_token`, which indicates an OAuth 2.0 access token.
	"scope": "A String", # The OAuth 2.0 scopes to include on the resulting access token, formatted as a list of space-delimited, case-sensitive strings. Required when exchanging an external credential for a Google access token.
	"subjectToken": "A String", # Required. The input token. This token is either an external credential issued by a workload identity pool provider, or a short-lived access token issued by Google. If the token is an OIDC JWT, it must use the JWT format defined in [RFC 7523](https://tools.ietf.org/html/rfc7523), and the `subject_token_type` must be either `urn:ietf:params:oauth:token-type:jwt` or `urn:ietf:params:oauth:token-type:id_token`. The following headers are required: - `kid`: The identifier of the signing key securing the JWT. - `alg`: The cryptographic algorithm securing the JWT. Must be `RS256` or `ES256`. The following payload fields are required. For more information, see [RFC 7523, Section 3](https://tools.ietf.org/html/rfc7523#section-3): - `iss`: The issuer of the token. The issuer must provide a discovery document at the URL `/.well-known/openid-configuration`, where `` is the value of this field. The document must be formatted according to section 4.2 of the [OIDC 1.0 Discovery specification](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse). - `iat`: The issue time, in seconds, since the Unix epoch. Must be in the past. - `exp`: The expiration time, in seconds, since the Unix epoch. Must be less than 48 hours after `iat`. Shorter expiration times are more secure. If possible, we recommend setting an expiration time less than 6 hours. - `sub`: The identity asserted in the JWT. - `aud`: For workload identity pools, this must be a value specified in the allowed audiences for the workload identity pool provider, or one of the audiences allowed by default if no audiences were specified. See https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers#oidc Example header: ``` { "alg": "RS256", "kid": "us-east-11" } ``` Example payload: ``` { "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud": "//iam.googleapis.com/projects/1234567890123/locations/global/workloadIdentityPools/my-pool/providers/my-provider", "sub": "113475438248934895348", "my_claims": { "additional_claim": "value" } } ``` If `subject_token` is for AWS, it must be a serialized `GetCallerIdentity` token. This token contains the same information as a request to the AWS [`GetCallerIdentity()`](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity) method, as well as the AWS [signature](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) for the request information. Use Signature Version 4. Format the request as URL-encoded JSON, and set the `subject_token_type` parameter to `urn:ietf:params:aws:token-type:aws4_request`. The following parameters are required: - `url`: The URL of the AWS STS endpoint for `GetCallerIdentity()`, such as `https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15`. Regional endpoints are also supported. - `method`: The HTTP request method: `POST`. - `headers`: The HTTP request headers, which must include: - `Authorization`: The request signature. - `x-amz-date`: The time you will send the request, formatted as an [ISO8601 Basic](https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.html#sigv4_elements_date) string. This value is typically set to the current time and is used to help prevent replay attacks. - `host`: The hostname of the `url` field; for example, `sts.amazonaws.com`. - `x-goog-cloud-target-resource`: The full, canonical resource name of the workload identity pool provider, with or without an `https:` prefix. To help ensure data integrity, we recommend including this header in the `SignedHeaders` field of the signed request. For example: //iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/ If you are using temporary security credentials provided by AWS, you must also include the header `x-amz-security-token`, with the value set to the session token. The following example shows a `GetCallerIdentity` token: ``` { "headers": [ {"key": "x-amz-date", "value": "20200815T015049Z"}, {"key": "Authorization", "value": "AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$signature"}, {"key": "x-goog-cloud-target-resource", "value": "//iam.googleapis.com/projects//locations/global/workloadIdentityPools//providers/"}, {"key": "host", "value": "sts.amazonaws.com"} . ], "method": "POST", "url": "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" } ``` You can also use a Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes applied, such as a Credential Access Boundary. In this case, set `subject_token_type` to `urn:ietf:params:oauth:token-type:access_token`. If an access token already contains security attributes, you cannot apply additional security attributes.
	"subjectTokenType": "A String", # Required. An identifier that indicates the type of the security token in the `subject_token` parameter. Supported values are `urn:ietf:params:oauth:token-type:jwt`, `urn:ietf:params:oauth:token-type:id_token`, `urn:ietf:params:aws:token-type:aws4_request`, and `urn:ietf:params:oauth:token-type:access_token`.
	}

	x__xgafv: string, V1 error format.
	Allowed values
	1 - v1 error format
	2 - v2 error format

	Returns:
	An object of the form:

	{ # Response message for ExchangeToken.
	"access_token": "A String", # An OAuth 2.0 security token, issued by Google, in response to the token exchange request. Tokens can vary in size, depending in part on the size of mapped claims, up to a maximum of 12288 bytes (12 KB). Google reserves the right to change the token size and the maximum length at any time.
	"expires_in": 42, # The amount of time, in seconds, between the time when the access token was issued and the time when the access token will expire. This field is absent when the `subject_token` in the request is a Google-issued, short-lived access token. In this case, the access token has the same expiration time as the `subject_token`.
	"issued_token_type": "A String", # The token type. Always matches the value of `requested_token_type` from the request.
	"token_type": "A String", # The type of access token. Always has the value `Bearer`.
	}</pre>
	</div>

	</body></html>