Skip to content

Commit 91a00fc

Browse files
aeitzmanaeitzman
committed
add more comments
1 parent 53cf763 commit 91a00fc

File tree

1 file changed

+12
-5
lines changed

1 file changed

+12
-5
lines changed

google/externalaccount/basecredentials.go

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -187,7 +187,7 @@ func validateWorkforceAudience(input string) bool {
187187
return validWorkforceAudiencePattern.MatchString(input)
188188
}
189189

190-
// NewTokenSource Returns an external account TokenSource.
190+
// NewTokenSource Returns an external account TokenSource using the provided external account config.
191191
func NewTokenSource(ctx context.Context, conf Config) (oauth2.TokenSource, error) {
192192
if conf.Audience == "" {
193193
return nil, fmt.Errorf("oauth2/google: Audience must be set")
@@ -253,14 +253,17 @@ const (
253253

254254
// Format contains information needed to retireve a subject token for URL or File sourced credentials.
255255
type Format struct {
256-
// Type is either "text" or "json". When not provided "text" type is assumed.
256+
// Type should be either "text" or "json". This determines whether the file or URL sourced credentials
257+
// expect a simple text subject token or if the subject token will be contained in a JSON object.
258+
// When not provided "text" type is assumed.
257259
Type string `json:"type"`
258-
// SubjectTokenFieldName is only required for JSON format. This would be "access_token" for azure.
260+
// SubjectTokenFieldName is only required for JSON format. This is the field name that the credentials will check
261+
// for the subject token in the file or URL response. This would be "access_token" for azure.
259262
SubjectTokenFieldName string `json:"subject_token_field_name"`
260263
}
261264

262265
// CredentialSource stores the information necessary to retrieve the credentials for the STS exchange.
263-
// One field amongst File, URL, Executable should be filled, depending on the kind of credential in question.
266+
// One field amongst File, URL, Executable, or EnvironmentID should be provided, depending on the kind of credential in question.
264267
// The EnvironmentID should start with AWS if being used for an AWS credential.
265268
type CredentialSource struct {
266269
// File is the location for file sourced credentials.
@@ -301,7 +304,9 @@ type ExecutableConfig struct {
301304

302305
// SubjectTokenSupplier can be used to supply a subject token to exchange for a GCP access token.
303306
type SubjectTokenSupplier interface {
304-
// AwsRegion should return a valid subject token or an error.
307+
// SubjectToken should return a valid subject token or an error.
308+
// The external account token source does not cache the returned subject token, so caching
309+
// logic should be implemented in the supplier to prevent multiple requests for the same subject token.
305310
SubjectToken(ctx context.Context, options SupplierOptions) (string, error)
306311
}
307312

@@ -311,6 +316,8 @@ type AwsSecurityCredentialsSupplier interface {
311316
// AwsRegion should return the AWS region or an error.
312317
AwsRegion(ctx context.Context, options SupplierOptions) (string, error)
313318
// GetAwsSecurityCredentials should return a valid set of AwsSecurityCredentials or an error.
319+
// The external account token source does not cache the returned security credentials, so caching
320+
// logic should be implemented in the supplier to prevent multiple requests for the same security credentials.
314321
AwsSecurityCredentials(ctx context.Context, options SupplierOptions) (*AwsSecurityCredentials, error)
315322
}
316323

0 commit comments

Comments
 (0)