feat: Add a token_type options proto to allow for customization of sp…

…ecific token types. Added the first token type option to hold principal tag token options PiperOrigin-RevId: 700050491
googleapis · Nov 25, 2024 · 5afbbeb · 5afbbeb
1 parent 9ed52d4
commit 5afbbeb
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/google/cloud/confidentialcomputing/v1/BUILD.bazel b/google/cloud/confidentialcomputing/v1/BUILD.bazel
@@ -330,6 +330,7 @@ load(
 
 csharp_proto_library(
     name = "confidentialcomputing_csharp_proto",
+    extra_opts = [],
     deps = [":confidentialcomputing_proto"],
 )
 

diff --git a/google/cloud/confidentialcomputing/v1/service.proto b/google/cloud/confidentialcomputing/v1/service.proto
@@ -85,6 +85,9 @@ enum TokenType {
 
   // Limited claim token type for AWS integration
   TOKEN_TYPE_LIMITED_AWS = 3;
+
+  // Principal-tag-based token for AWS integration
+  TOKEN_TYPE_AWS_PRINCIPALTAGS = 4;
 }
 
 // A Challenge from the server used to guarantee freshness of attestations
@@ -227,6 +230,37 @@ message GcpCredentials {
 
 // Options to modify claims in the token to generate custom-purpose tokens.
 message TokenOptions {
+  // Token options that only apply to the AWS Principal Tags token type.
+  message AwsPrincipalTagsOptions {
+    // Allowed principal tags is used to define what principal tags will be
+    // placed in the token.
+    message AllowedPrincipalTags {
+      // Allowed Container Image Signatures. Key IDs are required to allow this
+      // claim to fit within the narrow AWS IAM restrictions.
+      message ContainerImageSignatures {
+        // Optional. List of key ids to filter into the Principal tags. Only
+        // keys that have been validated and added to the token will be filtered
+        // into principal tags. Unrecognized key ids will be ignored.
+        repeated string key_ids = 1 [(google.api.field_behavior) = OPTIONAL];
+      }
+
+      // Optional. Container image signatures allowed in the token.
+      ContainerImageSignatures container_image_signatures = 1
+          [(google.api.field_behavior) = OPTIONAL];
+    }
+
+    // Optional. Principal tags to allow in the token.
+    AllowedPrincipalTags allowed_principal_tags = 1
+        [(google.api.field_behavior) = OPTIONAL];
+  }
+
+  // An optional additional configuration per token type.
+  oneof token_type_options {
+    // Optional. Options for the Limited AWS token type.
+    AwsPrincipalTagsOptions aws_principal_tags_options = 4
+        [(google.api.field_behavior) = OPTIONAL];
+  }
+
   // Optional. Optional string to issue the token with a custom audience claim.
   // Required if one or more nonces are specified.
   string audience = 1 [(google.api.field_behavior) = OPTIONAL];

diff --git a/google/cloud/confidentialcomputing/v1alpha1/BUILD.bazel b/google/cloud/confidentialcomputing/v1alpha1/BUILD.bazel
@@ -328,6 +328,7 @@ load(
 
 csharp_proto_library(
     name = "confidentialcomputing_csharp_proto",
+    extra_opts = [],
     deps = [":confidentialcomputing_proto"],
 )