googleapis · quartzmo · Jan 7, 2025 · Oct 29, 2024 · Oct 30, 2024 · Oct 30, 2024
@@ -44,38 +44,29 @@ func credsFromDefault(creds *auth.Credentials, opts *Options) (*auth.Credentials
 		if err != nil {
 			return nil, err
 		}
-		opts2LO := &auth.Options2LO{
-			Email:        f.ClientEmail,
-			PrivateKey:   []byte(f.PrivateKey),
-			PrivateKeyID: f.PrivateKeyID,
-			TokenURL:     f.TokenURL,
-			UseIDToken:   true,
-			Logger:       internallog.New(opts.Logger),
-		}
-		if opts2LO.TokenURL == "" {
-			opts2LO.TokenURL = jwtTokenURL
-		}
-
-		var customClaims map[string]interface{}
-		if opts != nil {
-			customClaims = opts.CustomClaims
-		}
-		if customClaims == nil {
-			customClaims = make(map[string]interface{})
-		}
-		customClaims["target_audience"] = opts.Audience
-
-		opts2LO.PrivateClaims = customClaims
-		tp, err := auth.New2LOTokenProvider(opts2LO)
-		if err != nil {
-			return nil, err
+		var tp auth.TokenProvider
+		if resolveUniverseDomain(f) == internal.DefaultUniverseDomain {
+			tp, err = new2LOTokenProvider(f, opts)
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			// In case of non-GDU universe domain, use IAM.
+			tp = iamIDTokenProvider{
+				client: opts.client(),
+				// Pass the credentials universe domain to configure the endpoint.
+				universeDomain: auth.CredentialsPropertyFunc(creds.UniverseDomain),
+				signerEmail:    f.ClientEmail,
+				audience:       opts.Audience,
+				logger:         internallog.New(opts.Logger),
+			}
 		}
 		tp = auth.NewCachedTokenProvider(tp, nil)
 		return auth.NewCredentials(&auth.CredentialsOptions{
 			TokenProvider:          tp,
 			JSON:                   b,
-			ProjectIDProvider:      internal.StaticCredentialsProperty(f.ProjectID),
-			UniverseDomainProvider: internal.StaticCredentialsProperty(f.UniverseDomain),
+			ProjectIDProvider:      auth.CredentialsPropertyFunc(creds.ProjectID),
+			UniverseDomainProvider: auth.CredentialsPropertyFunc(creds.UniverseDomain),
 		}), nil
 	case credsfile.ImpersonatedServiceAccountKey, credsfile.ExternalAccountKey:
 		type url struct {
@@ -110,3 +101,39 @@ func credsFromDefault(creds *auth.Credentials, opts *Options) (*auth.Credentials
 		return nil, fmt.Errorf("idtoken: unsupported credentials type: %v", t)
 	}
 }
+
+func new2LOTokenProvider(f *credsfile.ServiceAccountFile, opts *Options) (auth.TokenProvider, error) {
+	opts2LO := &auth.Options2LO{
+		Email:        f.ClientEmail,
+		PrivateKey:   []byte(f.PrivateKey),
+		PrivateKeyID: f.PrivateKeyID,
+		TokenURL:     f.TokenURL,
+		UseIDToken:   true,
+		Logger:       internallog.New(opts.Logger),
+	}
+	if opts2LO.TokenURL == "" {
+		opts2LO.TokenURL = jwtTokenURL
+	}
+
+	var customClaims map[string]interface{}
+	if opts != nil {
+		customClaims = opts.CustomClaims
+	}
+	if customClaims == nil {
+		customClaims = make(map[string]interface{})
+	}
+	customClaims["target_audience"] = opts.Audience
+
+	opts2LO.PrivateClaims = customClaims
+	return auth.New2LOTokenProvider(opts2LO)
+}
+
+// resolveUniverseDomain returns the default service domain for a given
+// Cloud universe. This is the universe domain configured for the credentials,
+// which will be used in endpoint.
+func resolveUniverseDomain(f *credsfile.ServiceAccountFile) string {
+	if f.UniverseDomain != "" {
+		return f.UniverseDomain
+	}
+	return internal.DefaultUniverseDomain
+}
diff --git a/auth/credentials/idtoken/iam.go b/auth/credentials/idtoken/iam.go
@@ -0,0 +1,55 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idtoken
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+
+	"cloud.google.com/go/auth"
+	"cloud.google.com/go/auth/credentials/internal/impersonate"
+)
+
+// iamIDTokenProvider performs an authenticated RPC with the IAM service to
+// obtain an ID token. The provided client must be fully authenticated and
+// authorized with the iam.serviceAccountTokenCreator role.
+//
+// This TokenProvider is primarily intended for use in non-GDU universes, which
+// do not have access to the oauth2.googleapis.com/token endpoint, and thus must
+// use IAM generateIdToken instead.
+type iamIDTokenProvider struct {
+	client *http.Client
+	// universeDomain is used for endpoint construction.
+	universeDomain auth.CredentialsPropertyProvider
+	// signerEmail is the service account client email used to form the IAM generateIdToken endpoint.
+	signerEmail string
+	audience    string
+	logger      *slog.Logger
+}
+
+func (i iamIDTokenProvider) Token(ctx context.Context) (*auth.Token, error) {
+	opts := impersonate.IDTokenIAMOptions{
+		Client:              i.client,
+		UniverseDomain:      i.universeDomain,
+		ServiceAccountEmail: i.signerEmail,
+		Logger:              i.logger,
+		GenerateIDTokenRequest: impersonate.GenerateIDTokenRequest{
+			Audience:     i.audience,
+			IncludeEmail: true,
+		},
+	}
+	return opts.Token(ctx)
+}
@@ -86,6 +86,11 @@ type Options struct {
 	// when fetching tokens. If provided this should be a fully-authenticated
 	// client. Optional.
 	Client *http.Client
+	// UniverseDomain is the default service domain for a given Cloud universe.
+	// The default value is "googleapis.com". This is the universe domain
+	// configured for the client, which will be compared to the universe domain
+	// that is separately configured for the credentials. Optional.
+	UniverseDomain string
 	// Logger is used for debug logging. If provided, logging will be enabled
 	// at the loggers configured level. By default logging is disabled unless
 	// enabled by setting GOOGLE_SDK_GO_LOGGING_LEVEL in which case a default

@@ -15,14 +15,19 @@
 package idtoken
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
+	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"os"
+	"strings"
 	"testing"
 
+	"cloud.google.com/go/auth/credentials/internal/impersonate"
 	"cloud.google.com/go/auth/internal"
 	"cloud.google.com/go/auth/internal/credsfile"
 )
@@ -66,7 +71,8 @@ func TestNewCredentials_Validate(t *testing.T) {
 	}
 }
 
-func TestNewCredentials_ServiceAccount_NoClient(t *testing.T) {
+func TestNewCredentials_ServiceAccount(t *testing.T) {
+	ctx := context.Background()
 	wantTok, _ := createRS256JWT(t)
 	b, err := os.ReadFile("../../internal/testdata/sa.json")
 	if err != nil {
@@ -97,13 +103,110 @@ func TestNewCredentials_ServiceAccount_NoClient(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	tok, err := creds.Token(context.Background())
+	tok, err := creds.Token(ctx)
 	if err != nil {
 		t.Fatalf("tp.Token() = %v", err)
 	}
 	if tok.Value != wantTok {
 		t.Errorf("got %q, want %q", tok.Value, wantTok)
 	}
+	if got, _ := creds.UniverseDomain(ctx); got != internal.DefaultUniverseDomain {
+		t.Errorf("got %q, want %q", got, internal.DefaultUniverseDomain)
+	}
+}
+
+func TestNewCredentials_ServiceAccount_UniverseDomain(t *testing.T) {
+	wantAudience := "aud"
+	wantClientEmail := "gopher@fake_project.iam.gserviceaccount.com"
+	wantUniverseDomain := "example.com"
+	wantTok := "id-token"
+	client := &http.Client{
+		Transport: RoundTripFn(func(req *http.Request) *http.Response {
+			defer req.Body.Close()
+			b, err := io.ReadAll(req.Body)
+			if err != nil {
+				t.Error(err)
+			}
+			var r impersonate.GenerateIDTokenRequest
+			if err := json.Unmarshal(b, &r); err != nil {
+				t.Error(err)
+			}
+			if r.Audience != wantAudience {
+				t.Errorf("got %q, want %q", r.Audience, wantAudience)
+			}
+			if !r.IncludeEmail {
+				t.Errorf("got %t, want %t", r.IncludeEmail, false)
+			}
+			if !strings.Contains(req.URL.Path, wantClientEmail) {
+				t.Errorf("got %q, want %q", req.URL.Path, wantClientEmail)
+			}
+			if !strings.Contains(req.URL.Hostname(), wantUniverseDomain) {
+				t.Errorf("got %q, want %q", req.URL.Hostname(), wantUniverseDomain)
+			}
+			if !strings.Contains(req.URL.Path, "generateIdToken") {
+				t.Fatal("path must contain 'generateIdToken'")
+			}
+
+			resp := impersonate.GenerateIDTokenResponse{
+				Token: wantTok,
+			}
+			b, err = json.Marshal(&resp)
+			if err != nil {
+				t.Fatalf("unable to marshal response: %v", err)
+			}
+			return &http.Response{
+				StatusCode: 200,
+				Body:       io.NopCloser(bytes.NewReader(b)),
+				Header:     http.Header{},
+			}
+		}),
+	}
+
+	ctx := context.Background()
+	creds, err := NewCredentials(&Options{
+		Audience:        wantAudience,
+		CredentialsFile: "../../internal/testdata/sa_universe_domain.json",
+		Client:          client,
+		UniverseDomain:  wantUniverseDomain,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	tok, err := creds.Token(ctx)
+	if err != nil {
+		t.Fatalf("tp.Token() = %v", err)
+	}
+	if tok.Value != wantTok {
+		t.Errorf("got %q, want %q", tok.Value, wantTok)
+	}
+	if got, _ := creds.UniverseDomain(ctx); got != wantUniverseDomain {
+		t.Errorf("got %q, want %q", got, wantUniverseDomain)
+	}
+}
+
+func TestNewCredentials_ServiceAccount_UniverseDomain_NoClient(t *testing.T) {
+	wantUniverseDomain := "example.com"
+	ctx := context.Background()
+	creds, err := NewCredentials(&Options{
+		Audience:        "aud",
+		CredentialsFile: "../../internal/testdata/sa_universe_domain.json",
+		UniverseDomain:  wantUniverseDomain,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	// To test client creation and usage without a mock client, we must expect a failed token request.
+	_, err = creds.Token(ctx)
+	if err == nil {
+		t.Fatal("token call to example.com did not fail")
+	}
+	// Assert that the failed token request targeted the universe domain.
+	if !strings.Contains(err.Error(), wantUniverseDomain) {
+		t.Errorf("got %q, want %q", err.Error(), wantUniverseDomain)
+	}
+	if got, _ := creds.UniverseDomain(ctx); got != wantUniverseDomain {
+		t.Errorf("got %q, want %q", got, wantUniverseDomain)
+	}
 }
 
 type mockTransport struct {
@@ -147,6 +250,7 @@ func TestNewCredentials_ImpersonatedAndExternal(t *testing.T) {
 					"foo": "bar",
 				},
 				Client: client,
+				Logger: slog.New(slog.NewTextHandler(io.Discard, nil)),
 			}
 			if tt.file != "" {
 				opts.CredentialsFile = tt.file