Package downscope implements the ability to downscope, or restrict, the
Identity and Access Management permissions that a short-lived Token
can use. Please note that only Google Cloud Storage supports this feature.
For complete documentation, seehttps://cloud.google.com/iam/docs/downscoping-short-lived-credentials
To downscope permissions of a source credential, you need to define
a Credential Access Boundary. Said Boundary specifies which resources
the newly created credential can access, an upper bound on the permissions
it has over those resources, and optionally attribute-based conditional
access to the aforementioned resources. For more information on IAM
Conditions, seehttps://cloud.google.com/iam/docs/conditions-overview.
This functionality can be used to provide a third party with
limited access to and permissions on resources held by the owner of the root
credential or internally in conjunction with the principle of least privilege
to ensure that internal services only hold the minimum necessary privileges
for their function.
For example, a token broker can be set up on a server in a private network.
Various workloads (token consumers) in the same network will send
authenticated requests to that broker for downscoped tokens to access or
modify specific google cloud storage buckets. See the NewCredentials example
for an example of how a token broker would use this package.
The broker will use the functionality in this package to generate a
downscoped token with the requested configuration, and then pass it back to
the token consumer. These downscoped access tokens can then be used to access
Google Cloud resources.
NewCredentials returns a [cloud.google.com/go/auth.Credentials] that is
more restrictive than [Options.Credentials] provided. The new credentials
will delegate to the base credentials for all non-token activity.
Example
packagemainimport("context""fmt""cloud.google.com/go/auth/credentials""cloud.google.com/go/auth/credentials/downscope")funcmain(){// This shows how to generate a downscoped token. This code would be run on// the token broker, which holds the root token used to generate the// downscoped token.ctx:=context.Background()// Initializes an accessBoundary with one Rule which restricts the// downscoped token to only be able to access the bucket "foo" and only// grants it the permission "storage.objectViewer".accessBoundary:=[]downscope.AccessBoundaryRule{{AvailableResource:"//storage.googleapis.com/projects/_/buckets/foo",AvailablePermissions:[]string{"inRole:roles/storage.objectViewer"},},}// This Source can be initialized in multiple ways; the following example uses// Application Default Credentials.baseProvider,err:=credentials.DetectDefault(&credentials.DetectOptions{Scopes:[]string{"https://www.googleapis.com/auth/cloud-platform"},})creds,err:=downscope.NewCredentials(&downscope.Options{Credentials:baseProvider,Rules:accessBoundary})iferr!=nil{fmt.Printf("failed to generate downscoped token provider: %v",err)return}tok,err:=creds.Token(ctx)iferr!=nil{fmt.Printf("failed to generate token: %v",err)return}_=tok// You can now pass tok to a token consumer however you wish, such as exposing// a REST API and sending it over HTTP.// You can instead use the token held in tp to make// Google Cloud Storage calls, as follows:// storageClient, err := storage.NewClient(ctx, option.WithTokenProvider(tp))}
AccessBoundaryRule
typeAccessBoundaryRulestruct{// AvailableResource is the full resource name of the Cloud Storage bucket// that the rule applies to. Use the format// //storage.googleapis.com/projects/_/buckets/bucket-name.AvailableResourcestring`json:"availableResource"`// AvailablePermissions is a list that defines the upper bound on the available permissions// for the resource. Each value is the identifier for an IAM predefined role or custom role,// with the prefix inRole:. For example: inRole:roles/storage.objectViewer.// Only the permissions in these roles will be available.AvailablePermissions[]string`json:"availablePermissions"`// An Condition restricts the availability of permissions// to specific Cloud Storage objects. Optional.//// A Condition can be used to make permissions available for specific objects,// rather than all objects in a Cloud Storage bucket.Condition*AvailabilityCondition`json:"availabilityCondition,omitempty"`}
An AccessBoundaryRule Sets the permissions (and optionally conditions) that
the new token has on given resource.
AvailabilityCondition
typeAvailabilityConditionstruct{// An Expression specifies the Cloud Storage objects where// permissions are available. For further documentation, see// https://cloud.google.com/iam/docs/conditions-overview. Required.Expressionstring`json:"expression"`// Title is short string that identifies the purpose of the condition. Optional.Titlestring`json:"title,omitempty"`// Description details about the purpose of the condition. Optional.Descriptionstring`json:"description,omitempty"`}
An AvailabilityCondition restricts access to a given Resource.
Options
typeOptionsstruct{// Credentials is the [cloud.google.com/go/auth.Credentials] used to// create the downscoped credentials. Required.Credentials*auth.Credentials// Rules defines the accesses held by the new downscoped credentials. One or// more AccessBoundaryRules are required to define permissions for the new// downscoped credentials. Each one defines an access (or set of accesses)//that the new credentials has to a given resource. There can be a maximum// of 10 AccessBoundaryRules. Required.Rules[]AccessBoundaryRule// Client configures the underlying client used to make network requests// when fetching tokens. Optional.Client*http.Client// UniverseDomain is the default service domain for a given Cloud universe.// The default value is "googleapis.com". Optional.UniverseDomainstring// Logger is used for debug logging. If provided, logging will be enabled// at the loggers configured level. By default logging is disabled unless// enabled by setting GOOGLE_SDK_GO_LOGGING_LEVEL in which case a default// logger will be used. Optional.Logger*slog.Logger}
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-05 UTC."],[[["\u003cp\u003eThe \u003ccode\u003edownscope\u003c/code\u003e package allows for restricting the Identity and Access Management (IAM) permissions of a short-lived token, a feature supported by Google Cloud Storage.\u003c/p\u003e\n"],["\u003cp\u003eIt implements the ability to create downscoped credentials with limited access to specific resources, defined by a Credential Access Boundary with rules and optional conditions.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eNewCredentials\u003c/code\u003e function creates credentials that are more restrictive than the base credentials, delegating non-token activities to the base credentials.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eAccessBoundaryRule\u003c/code\u003e sets permissions and optional conditions for the new token on a specified resource, such as a Cloud Storage bucket, specifying resource and the available permissions for it.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eAvailabilityCondition\u003c/code\u003e type allows to restrict the availability of the permissions to specific Cloud Storage objects, based on expressions.\u003c/p\u003e\n"]]],[],null,["# Package cloud.google.com/go/auth/credentials/downscope (v0.16.0)\n\nVersion latestkeyboard_arrow_down\n\n- [0.16.0 (latest)](/go/docs/reference/cloud.google.com/go/auth/latest/credentials/downscope)\n- [0.15.0](/go/docs/reference/cloud.google.com/go/auth/0.15.0/credentials/downscope)\n- [0.14.1](/go/docs/reference/cloud.google.com/go/auth/0.14.1/credentials/downscope)\n- [0.13.0](/go/docs/reference/cloud.google.com/go/auth/0.13.0/credentials/downscope)\n- [0.12.1](/go/docs/reference/cloud.google.com/go/auth/0.12.1/credentials/downscope)\n- [0.11.0](/go/docs/reference/cloud.google.com/go/auth/0.11.0/credentials/downscope)\n- [0.10.2](/go/docs/reference/cloud.google.com/go/auth/0.10.2/credentials/downscope)\n- [0.9.9](/go/docs/reference/cloud.google.com/go/auth/0.9.9/credentials/downscope)\n- [0.8.1](/go/docs/reference/cloud.google.com/go/auth/0.8.1/credentials/downscope)\n- [0.7.3](/go/docs/reference/cloud.google.com/go/auth/0.7.3/credentials/downscope)\n- [0.6.1](/go/docs/reference/cloud.google.com/go/auth/0.6.1/credentials/downscope)\n- [0.5.2](/go/docs/reference/cloud.google.com/go/auth/0.5.2/credentials/downscope)\n- [0.4.2](/go/docs/reference/cloud.google.com/go/auth/0.4.2/credentials/downscope)\n- [0.3.0](/go/docs/reference/cloud.google.com/go/auth/0.3.0/credentials/downscope)\n- [0.2.2](/go/docs/reference/cloud.google.com/go/auth/0.2.2/credentials/downscope)\n- [0.1.1](/go/docs/reference/cloud.google.com/go/auth/0.1.1/credentials/downscope) \n**Note:** To get more information about this package, such as access to older versions, view [this package on pkg.go.dev](https://pkg.go.dev/cloud.google.com/go/auth/credentials/downscope). \n\u003cbr /\u003e\n\nPackage downscope implements the ability to downscope, or restrict, the\nIdentity and Access Management permissions that a short-lived Token\ncan use. Please note that only Google Cloud Storage supports this feature.\nFor complete documentation, see \u003chttps://cloud.google.com/iam/docs/downscoping-short-lived-credentials\u003e\n\nTo downscope permissions of a source credential, you need to define\na Credential Access Boundary. Said Boundary specifies which resources\nthe newly created credential can access, an upper bound on the permissions\nit has over those resources, and optionally attribute-based conditional\naccess to the aforementioned resources. For more information on IAM\nConditions, see \u003chttps://cloud.google.com/iam/docs/conditions-overview\u003e.\n\nThis functionality can be used to provide a third party with\nlimited access to and permissions on resources held by the owner of the root\ncredential or internally in conjunction with the principle of least privilege\nto ensure that internal services only hold the minimum necessary privileges\nfor their function.\n\nFor example, a token broker can be set up on a server in a private network.\nVarious workloads (token consumers) in the same network will send\nauthenticated requests to that broker for downscoped tokens to access or\nmodify specific google cloud storage buckets. See the NewCredentials example\nfor an example of how a token broker would use this package.\n\nThe broker will use the functionality in this package to generate a\ndownscoped token with the requested configuration, and then pass it back to\nthe token consumer. These downscoped access tokens can then be used to access\nGoogle Cloud resources. \n\nFunctions\n---------\n\n### func NewCredentials\n\n func NewCredentials(opts *#cloud_google_com_go_auth_credentials_downscope_Options) (*/go/docs/reference/cloud.google.com/go/auth/latest./go/docs/reference/cloud.google.com/go/auth/latest#cloud_google_com_go_auth_Credentials, https://pkg.go.dev/builtin#error)\n\nNewCredentials returns a \\[cloud.google.com/go/auth.Credentials\\] that is\nmore restrictive than \\[Options.Credentials\\] provided. The new credentials\nwill delegate to the base credentials for all non-token activity. \n\n#### Example\n\n package main\n\n import (\n \t\"context\"\n \t\"fmt\"\n\n \t\"cloud.google.com/go/auth/credentials\"\n \t\"cloud.google.com/go/auth/credentials/downscope\"\n )\n\n func main() {\n \t// This shows how to generate a downscoped token. This code would be run on\n \t// the token broker, which holds the root token used to generate the\n \t// downscoped token.\n \tctx := context.Background()\n\n \t// Initializes an accessBoundary with one Rule which restricts the\n \t// downscoped token to only be able to access the bucket \"foo\" and only\n \t// grants it the permission \"storage.objectViewer\".\n \taccessBoundary := []downscope.AccessBoundaryRule{\n \t\t{\n \t\t\tAvailableResource: \"//storage.googleapis.com/projects/_/buckets/foo\",\n \t\t\tAvailablePermissions: []string{\"inRole:roles/storage.objectViewer\"},\n \t\t},\n \t}\n\n \t// This Source can be initialized in multiple ways; the following example uses\n \t// Application Default Credentials.\n \tbaseProvider, err := credentials.https://cloud.google.com/go/docs/reference/cloud.google.com/go/auth/latest/credentials.html#cloud_google_com_go_auth_credentials_DetectDefault(&credentials.https://cloud.google.com/go/docs/reference/cloud.google.com/go/auth/latest/credentials.html#cloud_google_com_go_auth_credentials_DetectOptions{\n \t\tScopes: []string{\"https://www.googleapis.com/auth/cloud-platform\"},\n \t})\n \tcreds, err := downscope.https://cloud.google.com/go/docs/reference/cloud.google.com/go/auth/latest/credentials/downscope.html#cloud_google_com_go_auth_credentials_downscope_NewCredentials(&downscope.Options{Credentials: baseProvider, Rules: accessBoundary})\n \tif err != nil {\n \t\tfmt.Printf(\"failed to generate downscoped token provider: %v\", err)\n \t\treturn\n \t}\n\n \ttok, err := creds.Token(ctx)\n \tif err != nil {\n \t\tfmt.Printf(\"failed to generate token: %v\", err)\n \t\treturn\n \t}\n \t_ = tok\n \t// You can now pass tok to a token consumer however you wish, such as exposing\n \t// a REST API and sending it over HTTP.\n\n \t// You can instead use the token held in tp to make\n \t// Google Cloud Storage calls, as follows:\n \t// storageClient, err := storage.NewClient(ctx, option.WithTokenProvider(tp))\n }\n\nAccessBoundaryRule\n------------------\n\n type AccessBoundaryRule struct {\n \t// AvailableResource is the full resource name of the Cloud Storage bucket\n \t// that the rule applies to. Use the format\n \t// //storage.googleapis.com/projects/_/buckets/bucket-name.\n \tAvailableResource https://pkg.go.dev/builtin#string `json:\"availableResource\"`\n \t// AvailablePermissions is a list that defines the upper bound on the available permissions\n \t// for the resource. Each value is the identifier for an IAM predefined role or custom role,\n \t// with the prefix inRole:. For example: inRole:roles/storage.objectViewer.\n \t// Only the permissions in these roles will be available.\n \tAvailablePermissions []https://pkg.go.dev/builtin#string `json:\"availablePermissions\"`\n \t// An Condition restricts the availability of permissions\n \t// to specific Cloud Storage objects. Optional.\n \t//\n \t// A Condition can be used to make permissions available for specific objects,\n \t// rather than all objects in a Cloud Storage bucket.\n \tCondition *#cloud_google_com_go_auth_credentials_downscope_AvailabilityCondition `json:\"availabilityCondition,omitempty\"`\n }\n\nAn AccessBoundaryRule Sets the permissions (and optionally conditions) that\nthe new token has on given resource. \n\nAvailabilityCondition\n---------------------\n\n type AvailabilityCondition struct {\n \t// An Expression specifies the Cloud Storage objects where\n \t// permissions are available. For further documentation, see\n \t// https://cloud.google.com/iam/docs/conditions-overview. Required.\n \tExpression https://pkg.go.dev/builtin#string `json:\"expression\"`\n \t// Title is short string that identifies the purpose of the condition. Optional.\n \tTitle https://pkg.go.dev/builtin#string `json:\"title,omitempty\"`\n \t// Description details about the purpose of the condition. Optional.\n \tDescription https://pkg.go.dev/builtin#string `json:\"description,omitempty\"`\n }\n\nAn AvailabilityCondition restricts access to a given Resource. \n\nOptions\n-------\n\n type Options struct {\n \t// Credentials is the [cloud.google.com/go/auth.Credentials] used to\n \t// create the downscoped credentials. Required.\n \tCredentials */go/docs/reference/cloud.google.com/go/auth/latest./go/docs/reference/cloud.google.com/go/auth/latest#cloud_google_com_go_auth_Credentials\n \t// Rules defines the accesses held by the new downscoped credentials. One or\n \t// more AccessBoundaryRules are required to define permissions for the new\n \t// downscoped credentials. Each one defines an access (or set of accesses)\n \t//that the new credentials has to a given resource. There can be a maximum\n \t// of 10 AccessBoundaryRules. Required.\n \tRules []#cloud_google_com_go_auth_credentials_downscope_AccessBoundaryRule\n \t// Client configures the underlying client used to make network requests\n \t// when fetching tokens. Optional.\n \tClient *https://pkg.go.dev/net/http.https://pkg.go.dev/net/http#Client\n \t// UniverseDomain is the default service domain for a given Cloud universe.\n \t// The default value is \"googleapis.com\". Optional.\n \tUniverseDomain https://pkg.go.dev/builtin#string\n \t// Logger is used for debug logging. If provided, logging will be enabled\n \t// at the loggers configured level. By default logging is disabled unless\n \t// enabled by setting GOOGLE_SDK_GO_LOGGING_LEVEL in which case a default\n \t// logger will be used. Optional.\n \tLogger *https://pkg.go.dev/log/slog.https://pkg.go.dev/log/slog#Logger\n }\n\nOptions for configuring \\[NewCredentials\\]."]]
