subjectToken property

String? subjectToken
getter/setter pair

Input token.

The subject_token can be a third-party credential that is issued by a WorkloadPoolProvider or a short-lived access token that is issued by Google. If subject_token is an OIDC JWT, it must be in JWT format as defined in RFC 7523. The subject_token_type parameter must be 'urn:ietf:params:oauth:token-type:jwt'. Mandatory header fields: - kid: Identifier of the signing key used to secure the JWT - alg: The cryptographic algorithm used to secure the JWT. Supported value: "RS256". Mandatory payload fields (along the lines of RFC 7523, section 3): - iss: issuer of the token. Must provide a discovery document at $iss/.well-known/openid-configuration . The document needs to be formatted according to section 4.2 of the OpenID Connect Discovery 1.0 specification. - iat: Issue time in seconds since epoch. Must be in the past. - exp: Expiration time in seconds since epoch. Must be less than 48 hours after iat. We recommend to create tokens that last shorter than 6 hours to improve security unless business reasons mandate longer expiration times. Shorter token lifetimes are generally more secure since tokens that have been exfiltrated by attackers can be used for a shorter time. - sub: JWT subject, identity asserted in the JWT. - aud: Configured in the mapper policy. By default the service account unique ID. Example header: { "alg": "RS256", "kid": "us-east-11" } Example payload: { "iss": "https://accounts.google.com", "iat": 1517963104, "exp": 1517966704, "aud": "113475438248934895348", "sub": "113475438248934895348", "my_claims": { "additional_claim": "value" } } If subject_token is a Google short-lived access token, it can be an opaque OAuth 2.0 access token or a JWT signed by Google service account key. The subject_token_type should be set to 'urn:ietf:params:oauth:token-type:access_token' or 'urn:ietf:params:oauth:token-type:jwt' accordingly.

Required.

Implementation

core.String? subjectToken;