diff --git a/ydb/public/api/client/yc_private/iam/iam_token_service.proto b/ydb/public/api/client/yc_private/iam/iam_token_service.proto index 74c03d778b77..bb5a8634a279 100644 --- a/ydb/public/api/client/yc_private/iam/iam_token_service.proto +++ b/ydb/public/api/client/yc_private/iam/iam_token_service.proto @@ -18,6 +18,9 @@ service IamTokenService { // create iam token for service account rpc CreateForServiceAccount (CreateIamTokenForServiceAccountRequest) returns (CreateIamTokenResponse); + // create iam token for service + rpc CreateForService (CreateIamTokenForServiceRequest) returns (CreateIamTokenResponse); + // create iam token for compute instance rpc CreateForComputeInstance (CreateIamTokenForComputeInstanceRequest) returns (CreateIamTokenResponse); @@ -50,6 +53,14 @@ message CreateIamTokenForServiceAccountRequest { string service_account_id = 1; } +message CreateIamTokenForServiceRequest { + string service_id = 1; + string microservice_id = 2; + string resource_id = 3; + string resource_type = 4; + string target_service_account_id = 5; +} + message CreateIamTokenForComputeInstanceRequest { string service_account_id = 1; string instance_id = 2; diff --git a/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/types.h b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/types.h new file mode 100644 index 000000000000..f7f070671eb9 --- /dev/null +++ b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/types.h @@ -0,0 +1,15 @@ +#pragma once + +#include + +namespace NYdb::inline V3 { + +struct TIamServiceParams : TIamEndpoint { + std::string ServiceId; + std::string MicroserviceId; + std::string ResourceId; + std::string ResourceType; + std::string TargetServiceAccountId; +}; + +} diff --git a/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/ya.make b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/ya.make new file mode 100644 index 000000000000..e8c2e25fc710 --- /dev/null +++ b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/ya.make @@ -0,0 +1,13 @@ +LIBRARY(client-iam-private-common-include) + +INCLUDE(${ARCADIA_ROOT}/ydb/public/sdk/cpp/sdk_common.inc) + +SRCS( + types.h +) + +PEERDIR( + ydb/public/sdk/cpp/src/client/iam/common +) + +END() diff --git a/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h index c4373c9478af..48dd5ae61cb4 100644 --- a/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h +++ b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h @@ -1,5 +1,7 @@ #pragma once +#include "common/types.h" + #include namespace NYdb::inline V3 { @@ -10,4 +12,7 @@ TCredentialsProviderFactoryPtr CreateIamJwtFileCredentialsProviderFactoryPrivate /// Acquire an IAM token using JSON Web Token (JWT) contents. TCredentialsProviderFactoryPtr CreateIamJwtParamsCredentialsProviderFactoryPrivate(const TIamJwtContent& param); +/// Acquire an IAM token for system service account (SSA). +TCredentialsProviderFactoryPtr CreateIamServiceCredentialsProviderFactory(const TIamServiceParams& params); + } // namespace NYdb diff --git a/ydb/public/sdk/cpp/src/client/iam/common/iam.h b/ydb/public/sdk/cpp/src/client/iam/common/iam.h index c7f7742c5a5d..22bd10e5fc00 100644 --- a/ydb/public/sdk/cpp/src/client/iam/common/iam.h +++ b/ydb/public/sdk/cpp/src/client/iam/common/iam.h @@ -19,12 +19,19 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider { protected: using TRequestFiller = std::function; + using TSimpleRpc = + typename NYdbGrpc::TSimpleRequestProcessor< + typename TService::Stub, + TRequest, + TResponse>::TAsyncRequest; + private: class TImpl : public std::enable_shared_from_this::TImpl> { public: - TImpl(const TIamEndpoint& iamEndpoint, const TRequestFiller& requestFiller) + TImpl(const TIamEndpoint& iamEndpoint, const TRequestFiller& requestFiller, TSimpleRpc rpc) : Client(std::make_unique()) , Connection_(nullptr) + , Rpc_(rpc) , Ticket_("") , NextTicketUpdate_(TInstant::Zero()) , IamEndpoint_(iamEndpoint) @@ -67,7 +74,7 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider { Connection_->template DoRequest( std::move(req), std::move(cb), - &TService::Stub::AsyncCreate, + Rpc_, { {}, {}, IamEndpoint_.RequestTimeout } ); @@ -142,9 +149,9 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider { } private: - std::unique_ptr Client; std::unique_ptr> Connection_; + TSimpleRpc Rpc_; std::string Ticket_; TInstant NextTicketUpdate_; const TIamEndpoint IamEndpoint_; @@ -157,8 +164,8 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider { }; public: - TGrpcIamCredentialsProvider(const TIamEndpoint& endpoint, const TRequestFiller& requestFiller) - : Impl_(std::make_shared(endpoint, requestFiller)) + TGrpcIamCredentialsProvider(const TIamEndpoint& endpoint, const TRequestFiller& requestFiller, TSimpleRpc rpc) + : Impl_(std::make_shared(endpoint, requestFiller, rpc)) { Impl_->UpdateTicket(true); } @@ -186,7 +193,7 @@ class TIamJwtCredentialsProvider : public TGrpcIamCredentialsProvider(params, [jwtParams = params.JwtParams](TRequest& req) { req.set_jwt(MakeSignedJwt(jwtParams)); - }) {} + }, &TService::Stub::AsyncCreate) {} }; template @@ -196,7 +203,7 @@ class TIamOAuthCredentialsProvider : public TGrpcIamCredentialsProvider(params, [token = params.OAuthToken](TRequest& req) { req.set_yandex_passport_oauth_token(TStringType{token}); - }) {} + }, &TService::Stub::AsyncCreate) {} }; template diff --git a/ydb/public/sdk/cpp/src/client/iam_private/common/iam.h b/ydb/public/sdk/cpp/src/client/iam_private/common/iam.h new file mode 100644 index 000000000000..bbc09b0d347b --- /dev/null +++ b/ydb/public/sdk/cpp/src/client/iam_private/common/iam.h @@ -0,0 +1,28 @@ +#include + +#include + +namespace NYdb::inline V3 { + +template + +class TIamServiceCredentialsProviderFactory : public ICredentialsProviderFactory { +public: + TIamServiceCredentialsProviderFactory(const TIamServiceParams& params) : Params_(params) {} + + TCredentialsProviderPtr CreateProvider() const final { + return std::make_shared>(Params_, + [params = Params_](TRequest& req) { + req.set_service_id(params.ServiceId); + req.set_microservice_id(params.MicroserviceId); + req.set_resource_id(params.ResourceId); + req.set_resource_type(params.ResourceType); + req.set_target_service_account_id(params.TargetServiceAccountId); + }, &TService::Stub::AsyncCreateForService); + } + +private: + TIamServiceParams Params_; +}; + +} diff --git a/ydb/public/sdk/cpp/src/client/iam_private/common/ya.make b/ydb/public/sdk/cpp/src/client/iam_private/common/ya.make new file mode 100644 index 000000000000..a2990e63454b --- /dev/null +++ b/ydb/public/sdk/cpp/src/client/iam_private/common/ya.make @@ -0,0 +1,14 @@ +LIBRARY() + +INCLUDE(${ARCADIA_ROOT}/ydb/public/sdk/cpp/sdk_common.inc) + +SRCS( + iam.h +) + +PEERDIR( + ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common + ydb/public/sdk/cpp/src/client/iam/common +) + +END() diff --git a/ydb/public/sdk/cpp/src/client/iam_private/iam.cpp b/ydb/public/sdk/cpp/src/client/iam_private/iam.cpp index 09d7e56683f5..67268c942cce 100644 --- a/ydb/public/sdk/cpp/src/client/iam_private/iam.cpp +++ b/ydb/public/sdk/cpp/src/client/iam_private/iam.cpp @@ -1,17 +1,19 @@ -#include +#include "common/iam.h" -#include +#include #include #include +using namespace yandex::cloud::priv::iam::v1; + namespace NYdb::inline V3 { TCredentialsProviderFactoryPtr CreateIamJwtCredentialsProviderFactoryImplPrivate(TIamJwtParams&& jwtParams) { return std::make_shared>(std::move(jwtParams)); } @@ -25,4 +27,12 @@ TCredentialsProviderFactoryPtr CreateIamJwtParamsCredentialsProviderFactoryPriva return CreateIamJwtCredentialsProviderFactoryImplPrivate(std::move(jwtParams)); } +TCredentialsProviderFactoryPtr CreateIamServiceCredentialsProviderFactory(const TIamServiceParams& params) { + return std::make_shared>(std::move(params)); +} + } diff --git a/ydb/public/sdk/cpp/src/client/iam_private/ya.make b/ydb/public/sdk/cpp/src/client/iam_private/ya.make index 251d3483071f..ce4b7a51292d 100644 --- a/ydb/public/sdk/cpp/src/client/iam_private/ya.make +++ b/ydb/public/sdk/cpp/src/client/iam_private/ya.make @@ -8,7 +8,7 @@ SRCS( PEERDIR( ydb/public/api/client/yc_private/iam - ydb/public/sdk/cpp/src/client/iam/common + ydb/public/sdk/cpp/src/client/iam_private/common ) END()