feat: [confidentialcomputing] Add a token_type options proto to allow for customization of specific token types. Added the first token type option to hold principal tag token options

packages/google-cloud-confidentialcomputing/README.md

@@ -44,7 +44,7 @@ Google APIs Client Libraries, in [Client Libraries Explained][explained].
 1.  [Select or create a Cloud Platform project][projects].
 1.  [Enable billing for your project][billing].
 1.  [Enable the Confidential Computing API API][enable_api].
-1.  [Set up authentication with a service account][auth] so you can access the
+1.  [Set up authentication][auth] so you can access the
     API from your local workstation.
 
 ### Installing the client library
@@ -179,4 +179,4 @@ See [LICENSE](https://github.com/googleapis/google-cloud-node/blob/main/LICENSE)
 [projects]: https://console.cloud.google.com/project
 [billing]: https://support.google.com/cloud/answer/6293499#enable-billing
 [enable_api]: https://console.cloud.google.com/flows/enableapi?apiid=confidentialcomputing.googleapis.com
-[auth]: https://cloud.google.com/docs/authentication/getting-started
+[auth]: https://cloud.google.com/docs/authentication/external/set-up-adc-local

packages/google-cloud-confidentialcomputing/protos/google/cloud/confidentialcomputing/v1/service.proto

@@ -85,6 +85,9 @@ enum TokenType {
 
   // Limited claim token type for AWS integration
   TOKEN_TYPE_LIMITED_AWS = 3;
+
+  // Principal-tag-based token for AWS integration
+  TOKEN_TYPE_AWS_PRINCIPALTAGS = 4;
 }
 
 // A Challenge from the server used to guarantee freshness of attestations
@@ -227,6 +230,37 @@ message GcpCredentials {
 
 // Options to modify claims in the token to generate custom-purpose tokens.
 message TokenOptions {
+  // Token options that only apply to the AWS Principal Tags token type.
+  message AwsPrincipalTagsOptions {
+    // Allowed principal tags is used to define what principal tags will be
+    // placed in the token.
+    message AllowedPrincipalTags {
+      // Allowed Container Image Signatures. Key IDs are required to allow this
+      // claim to fit within the narrow AWS IAM restrictions.
+      message ContainerImageSignatures {
+        // Optional. List of key ids to filter into the Principal tags. Only
+        // keys that have been validated and added to the token will be filtered
+        // into principal tags. Unrecognized key ids will be ignored.
+        repeated string key_ids = 1 [(google.api.field_behavior) = OPTIONAL];
+      }
+
+      // Optional. Container image signatures allowed in the token.
+      ContainerImageSignatures container_image_signatures = 1
+          [(google.api.field_behavior) = OPTIONAL];
+    }
+
+    // Optional. Principal tags to allow in the token.
+    AllowedPrincipalTags allowed_principal_tags = 1
+        [(google.api.field_behavior) = OPTIONAL];
+  }
+
+  // An optional additional configuration per token type.
+  oneof token_type_options {
+    // Optional. Options for the Limited AWS token type.
+    AwsPrincipalTagsOptions aws_principal_tags_options = 4
+        [(google.api.field_behavior) = OPTIONAL];
+  }
+
   // Optional. Optional string to issue the token with a custom audience claim.
   // Required if one or more nonces are specified.
   string audience = 1 [(google.api.field_behavior) = OPTIONAL];