Method: token

string

Required. The input token.

This token is either an external credential issued by a workload identity pool provider, or a short-lived access token issued by Google.

If the token is an OIDC JWT, it must use the JWT format defined in RFC 7523 , and the subjectTokenType must be either urn:ietf:params:oauth:token-type:jwt or urn:ietf:params:oauth:token-type:idToken .

The following headers are required:

• kid : The identifier of the signing key securing the JWT.
• alg : The cryptographic algorithm securing the JWT. Must be RS256 or ES256 .

The following payload fields are required. For more information, see RFC 7523, Section 3 :

• iss : The issuer of the token. The issuer must provide a discovery document at the URL <iss>/.well-known/openid-configuration , where <iss> is the value of this field. The document must be formatted according to section 4.2 of the OIDC 1.0 Discovery specification .
• iat : The issue time, in seconds, since the Unix epoch. Must be in the past.
• exp : The expiration time, in seconds, since the Unix epoch. Must be less than 48 hours after iat . Shorter expiration times are more secure. If possible, we recommend setting an expiration time less than 6 hours.
• sub : The identity asserted in the JWT.
• aud : For workload identity pools, this must be a value specified in the allowed audiences for the workload identity pool provider, or one of the audiences allowed by default if no audiences were specified. See https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers#oidc . For workforce pools, this must match the client ID specified in the provider configuration. See https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools.providers#oidc .

Example header:

{ "alg": "RS256", "kid": "us-east-11" }

Example payload:

{ "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud": "//iam.googleapis.com/projects/1234567890123/locations/global/workloadIdentityPools/my-pool/providers/my-provider", "sub": "113475438248934895348", "my_claims": { "additional_claim": "value" } }

If subjectToken is for AWS, it must be a serialized GetCallerIdentity token. This token contains the same information as a request to the AWS GetCallerIdentity() method, as well as the AWS signature for the request information. Use Signature Version 4. Format the request as URL-encoded JSON, and set the subjectTokenType parameter to urn:ietf:params:aws:token-type:aws4_request .

The following parameters are required:

• url : The URL of the AWS STS endpoint for GetCallerIdentity() , such as https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15 . Regional endpoints are also supported.
• method : The HTTP request method: POST .
• headers : The HTTP request headers, which must include:
  • Authorization : The request signature.
  • x-amz-date : The time you will send the request, formatted as an ISO8601 Basic string. This value is typically set to the current time and is used to help prevent replay attacks.
  • host : The hostname of the url field; for example, sts.amazonaws.com .
  • x-goog-cloud-target-resource : The full, canonical resource name of the workload identity pool provider, with or without an https: prefix. To help ensure data integrity, we recommend including this header in the SignedHeaders field of the signed request. For example:

 //iam.googleapis.com/projects/<project-number>/locations/global/workloadIdentityPools/<pool-id>/providers/<provider-id>
   https://iam.googleapis.com/projects/<project-number>/locations/global/workloadIdentityPools/<pool-id>/providers/<provider-id> 

If you are using temporary security credentials provided by AWS, you must also include the header x-amz-security-token , with the value set to the session token.

The following example shows a GetCallerIdentity token:

{ "headers": [ {"key": "x-amz-date", "value": "20200815T015049Z"}, {"key": "Authorization", "value": "AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$signature"}, {"key": "x-goog-cloud-target-resource", "value": "//iam.googleapis.com/projects/<project-number>/locations/global/workloadIdentityPools/<pool-id>/providers/<provider-id>"}, {"key": "host", "value": "sts.amazonaws.com"} . ], "method": "POST", "url": "https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" }

If the token is a SAML 2.0 assertion, it must use the format defined in the SAML 2.0 spec , and the subjectTokenType must be urn:ietf:params:oauth:token-type:saml2 . See Verification of external credentials for details on how SAML 2.0 assertions are validated during token exchanges.

You can also use a Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes applied, such as a Credential Access Boundary. In this case, set subjectTokenType to urn:ietf:params:oauth:token-type:access_token .

If an access token already contains security attributes, you cannot apply additional security attributes.