feat: Add a token_type options proto to allow for customization of specific token types. Added the first token type option to hold principal tag token options

Google APIs · copybara-github · commit 5afbbeb4cc5e · 2024-11-25T11:34:25.000-08:00
PiperOrigin-RevId: 700050491
diff --git a/google/cloud/confidentialcomputing/v1/BUILD.bazel b/google/cloud/confidentialcomputing/v1/BUILD.bazel
@@ -330,6 +330,7 @@ load(
 
 csharp_proto_library(
     name = "confidentialcomputing_csharp_proto",
+    extra_opts = [],
     deps = [":confidentialcomputing_proto"],
 )
 
diff --git a/google/cloud/confidentialcomputing/v1/service.proto b/google/cloud/confidentialcomputing/v1/service.proto
@@ -85,6 +85,9 @@ enum TokenType {
 
   // Limited claim token type for AWS integration
   TOKEN_TYPE_LIMITED_AWS = 3;
+
+  // Principal-tag-based token for AWS integration
+  TOKEN_TYPE_AWS_PRINCIPALTAGS = 4;
 }
 
 // A Challenge from the server used to guarantee freshness of attestations
@@ -227,6 +230,37 @@ message GcpCredentials {
 
 // Options to modify claims in the token to generate custom-purpose tokens.
 message TokenOptions {
+  // Token options that only apply to the AWS Principal Tags token type.
+  message AwsPrincipalTagsOptions {
+    // Allowed principal tags is used to define what principal tags will be
+    // placed in the token.
+    message AllowedPrincipalTags {
+      // Allowed Container Image Signatures. Key IDs are required to allow this
+      // claim to fit within the narrow AWS IAM restrictions.
+      message ContainerImageSignatures {
+        // Optional. List of key ids to filter into the Principal tags. Only
+        // keys that have been validated and added to the token will be filtered
+        // into principal tags. Unrecognized key ids will be ignored.
+        repeated string key_ids = 1 [(google.api.field_behavior) = OPTIONAL];
+      }
+
+      // Optional. Container image signatures allowed in the token.
+      ContainerImageSignatures container_image_signatures = 1
+          [(google.api.field_behavior) = OPTIONAL];
+    }
+
+    // Optional. Principal tags to allow in the token.
+    AllowedPrincipalTags allowed_principal_tags = 1
+        [(google.api.field_behavior) = OPTIONAL];
+  }
+
+  // An optional additional configuration per token type.
+  oneof token_type_options {
+    // Optional. Options for the Limited AWS token type.
+    AwsPrincipalTagsOptions aws_principal_tags_options = 4
+        [(google.api.field_behavior) = OPTIONAL];
+  }
+
   // Optional. Optional string to issue the token with a custom audience claim.
   // Required if one or more nonces are specified.
   string audience = 1 [(google.api.field_behavior) = OPTIONAL];
diff --git a/google/cloud/confidentialcomputing/v1alpha1/BUILD.bazel b/google/cloud/confidentialcomputing/v1alpha1/BUILD.bazel
@@ -328,6 +328,7 @@ load(
 
 csharp_proto_library(
     name = "confidentialcomputing_csharp_proto",
+    extra_opts = [],
     deps = [":confidentialcomputing_proto"],
 )
 

Original file line number	Diff line number	Diff line change
`@@ -330,6 +330,7 @@ load(`
`330`	`330`
`331`	`331`	`csharp_proto_library(`
`332`	`332`	`name = "confidentialcomputing_csharp_proto",`
	`333`	`+ extra_opts = [],`
`333`	`334`	`deps = [":confidentialcomputing_proto"],`
`334`	`335`	`)`
`335`	`336`
Original file line number	Diff line number	Diff line change
`@@ -328,6 +328,7 @@ load(`
`328`	`328`
`329`	`329`	`csharp_proto_library(`
`330`	`330`	`name = "confidentialcomputing_csharp_proto",`
	`331`	`+ extra_opts = [],`
`331`	`332`	`deps = [":confidentialcomputing_proto"],`
`332`	`333`	`)`
`333`	`334`