Add support for external_account.

* Also fix a bug for impersonated_service_account * When creds are passed with WithCredentialsFile(), it doesn't work. * Pass the option when creating the token source.
googleapis · Mar 8, 2023 · 76e5c98 · 76e5c98
1 parent 9f18671
commit 76e5c98
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/idtoken/idtoken.go b/idtoken/idtoken.go
@@ -34,6 +34,7 @@ const (
 	unknownCredType credentialsType = iota
 	serviceAccount
 	impersonatedServiceAccount
+	external_account
 )
 
 // NewClient creates a HTTP Client that automatically adds an ID token to each
@@ -139,7 +140,7 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
 			return nil, err
 		}
 		return oauth2.ReuseTokenSource(tok, ts), nil
-	case impersonatedServiceAccount:
+	case impersonatedServiceAccount, external_account:
 		type url struct {
 			ServiceAccountImpersonationURL string `json:"service_account_impersonation_url"`
 		}
@@ -155,7 +156,7 @@ func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds
 			TargetPrincipal: account,
 			IncludeEmail:    true,
 		}
-		ts, err := impersonate.IDTokenSource(ctx, config)
+		ts, err := impersonate.IDTokenSource(ctx, config, option.WithCredentialsJSON(data))
 		if err != nil {
 			return nil, err
 		}
@@ -188,6 +189,8 @@ func parseCredType(typeString string) credentialsType {
 		return serviceAccount
 	case "impersonated_service_account":
 		return impersonatedServiceAccount
+	case "external_account":
+		return external_account
 	default:
 		return unknownCredType
 	}