TokenSourceを理解する

Transcript

1. Kenta Takahashi golang.org/x/oauth2#TokenSource Λ׬શʹཧղ͢Δ Asakusa.go

2. None

3. αʔϏεؒͰೝূΛͲ͏΍͓ͬͯ͜ͳ͏͔?

4. ͱʹ͔ͨ͘͘͞Μ͋Δ • OAuth2/OpenIDConnect ΫϥΠΞϯτೝূ • GitHub Actions ͱ Google Cloud/AWS

   • Google Cloud ಺Ͱͷೝূํ๏ • AWS ಺Ͱͷೝূํࣜ

5. OAuth2 /OenID Connect ΫϥΠΞϯτೝূ • client_secret_post • client_secret_basic • client_secret_jwt

   • private_key_jwt • tls_client_auth • ...

6. GitHub Actions ͱ Google Cloud/AWS https://docs.github.com/ja/actions/concepts/security/openid-connect

7. Google Cloud ಺Ͱͷೝূํ๏ • Set up Application Default Credentials ͱ͍

   ͏࢓૊Έ͕͋Δ • ͬ͘͟Γೝূ৘ใͷ୳ ͠ํϚχϡΞϧ

8. AWS ಺Ͱͷೝূํࣜ • ͋Μ·Γৄ͘͠ͳ͍ͷͰׂѪ

9. ͳΔ΄ͲΘ͔ΒΜ

10. API ϦΫΤετ͍͚ͨͩ͠ͳΜͩ

11. TokenSource ʹ͍ͭͯ https://pkg.go.dev/golang.org/x/oauth2#TokenSource

12. TokenSource ͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔ golang.org/x/oauth2 SSO ͷྫ

13. TokenSource ͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔ golang.org/x/oauth2 - access token Λ࢖ͬͯ Ϣʔβʔ৘ใΛऔಘ͢Δ - ͜ͷ಺෦Ͱ

    Token Source ͕࢖ΘΕ͍ͯΔ

14. TokenSource ͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔ golang.org/x/oauth2

15. TokenSource ͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔ golang.org/x/oauth2 - Request ͝ͱʹ
 TokenSource ͷ
 ϝιου͕ݺ͹Ε͍ͯΔ -

    ಺෦͸ token ͷߋ৽ͳͲ
 ΋ߦ͍ͬͯΔ - ϩοΫ΋ͱͬͯ
 goroutine-safe ʹ
 ͳ͍ͬͯΔ

16. TokenSource ͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔ GitHub Actions ͱ Google Cloud/AWS (AWS ͸ׂѪ) •

    Google Cloud ͸ Workload Identity Federation ͱ͍͏࢓૊ΈΛ࢖͍ͬͯΔ • ೝূΩʔͳ͠Ͱ Google Cloud ʹΞΫηεͰ͖Δ • ಺෦ͷৄ͍͠࢓૊Έ͸ฉ͍͍ͯͩ͘͞😇

17. TokenSource ͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔ GitHub Actions ͱ Google Cloud/AWS (AWS ͸ׂѪ) Workload

    Identity 
 Federation ͷྫ https://github.com/knwoop/google-cloud-go-playground/iam/workloadidentityfed

18. TokenSource ͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔ GitHub Actions ͱ Google Cloud/AWS (AWS ͸ׂѪ) Service

    Account ͷྫ

19. ·ͱΊ • TokenSource ͸ɺೝূ৘ใͷऔಘΛಁաతʹͯ͘͠ΕΔ΋ͷ • API ୟ࣌͘͸ TokenSource ͚ͩΛҙࣝ͠Α͏ (ݱ࣮͸ͦΜͳʹ؁͘ͳ͍😇)

    • ·ͣ TokenSource Λ࢖͑ͳ͍͔Λݕ౼ͯ͠ΈΔ • ࠓճ঺հͰ͖ͳ͔͕ͬͨɺ TokenSource Λ࢖ͬͨ RoundTripper ΍ grpc callOptions ͳͲ΋͋ΔͷͰศར