subjectToken property
Input token.
The subject_token can be a third-party credential that is issued by a
WorkloadPoolProvider or a short-lived access token that is issued by
Google. If subject_token is an OIDC JWT, it must be in JWT format as
defined in RFC 7523. The subject_token_type parameter must be
'urn:ietf:params:oauth:token-type:jwt'. Mandatory header fields: - kid:
Identifier of the signing key used to secure the JWT - alg: The
cryptographic algorithm used to secure the JWT. Supported value: "RS256".
Mandatory payload fields (along the lines of RFC 7523, section 3): - iss:
issuer of the token. Must provide a discovery document at
$iss/.well-known/openid-configuration . The document needs to be formatted
according to section 4.2 of the OpenID Connect Discovery 1.0
specification. - iat: Issue time in seconds since epoch. Must be in the
past. - exp: Expiration time in seconds since epoch. Must be less than 48
hours after iat. We recommend to create tokens that last shorter than 6
hours to improve security unless business reasons mandate longer
expiration times. Shorter token lifetimes are generally more secure since
tokens that have been exfiltrated by attackers can be used for a shorter
time. - sub: JWT subject, identity asserted in the JWT. - aud: Configured
in the mapper policy. By default the service account unique ID. Example
header: { "alg": "RS256", "kid": "us-east-11" } Example payload: { "iss":
"https://accounts.google.com", "iat": 1517963104, "exp": 1517966704,
"aud": "113475438248934895348", "sub": "113475438248934895348",
"my_claims": { "additional_claim": "value" } } If subject_token is a
Google short-lived access token, it can be an opaque OAuth 2.0 access
token or a JWT signed by Google service account key. The
subject_token_type should be set to
'urn:ietf:params:oauth:token-type:access_token' or
'urn:ietf:params:oauth:token-type:jwt' accordingly.
Required.
Implementation
core.String? subjectToken;