This package implements oauth2.TokenSource and signer which respects ADC with impersonation.

• Automatically uses CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT environment variable as an impersonation target and a delegation chain.
  • It respects same variable and syntax of gcloud.
    • https://cloud.google.com/sdk/gcloud/reference/topic/configurations?hl=en#impersonate_service_account
    • https://cloud.google.com/sdk/docs/properties?hl=en#setting_properties_via_environment_variables
• Can override the impersonation target, the delegate chain and the source credential through functional options.

This package is EXPERIMENTAL.

• No responsibility.
• May be broken.
• Will do breaking changes.

• Currently, external_account(STS) is not mentioned in AIP-4110 because it is removed when approval but it is supported in golang.org/x/oauth2/google and it is documented. I treat it as one of ADC credential.
• "Credentials API" is Service Account Credentials API (projects.serviceAccounts.signBlob, projects.serviceAccounts.signJwt)
  • Need Service Account Token Creator role(roles/iam.serviceAccountTokenCreator)

• Support Self-signed JWT(AIP-4111) for service_account in SmartAccessTokenSource.
  • It may be better to wait Self-signed JWT with scopes is supported in JWTAccessTokenSourceFromJSON
• Support to override underlying TokenSource.
  • WithTokenSource()
• Support external_account in tokensource.SmartIDTokenSource.
• Re-implement underlying TokenSource to avoid ReuseTokenSource in default.
• Add tests.
• Replace signJwtHelper with a reliable implementation.