@@ -9,13 +9,13 @@ can use. Please note that only Google Cloud Storage supports this feature.
99For complete documentation, see https://cloud.google.com/iam/docs/downscoping-short-lived-credentials
1010
1111To downscope permissions of a source credential, you need to define
12- a Credential Access Boundary. Said Boundary specifies which resources
12+ a Credential Access Boundary. Said Boundary specifies which resources
1313the newly created credential can access, an upper bound on the permissions
14- it has over those resources, and optionally attribute-based conditional
15- access to the aforementioned resources. For more information on IAM
14+ it has over those resources, and optionally attribute-based conditional
15+ access to the aforementioned resources. For more information on IAM
1616Conditions, see https://cloud.google.com/iam/docs/conditions-overview.
1717
18- This functionality would typically be used to provide a third party with
18+ This functionality can be used to provide a third party with
1919limited access to and permissions on resources held by the owner of the root
2020credential or internally in conjunction with the principle of least privilege
2121to ensure that internal services only hold the minimum necessary privileges
@@ -24,13 +24,13 @@ for their function.
2424For example, a token broker can be set up on a server in a private network.
2525Various workloads (token consumers) in the same network will send authenticated
2626requests to that broker for downscoped tokens to access or modify specific google
27- cloud storage buckets. See the NewTokenSource example for an example of how a
27+ cloud storage buckets. See the NewTokenSource example for an example of how a
2828token broker would use this package.
2929
3030The broker will use the functionality in this package to generate a downscoped
3131token with the requested configuration, and then pass it back to the token
32- consumer. These downscoped access tokens can then be used to access Google
33- Storage resources. For instance, you can create a NewClient from the
32+ consumer. These downscoped access tokens can then be used to access Google
33+ Storage resources. For instance, you can create a NewClient from the
3434"cloud.google.com/go/storage" package and pass in option.WithTokenSource(yourTokenSource))
3535*/
3636package downscope
@@ -81,7 +81,7 @@ type AccessBoundaryRule struct {
8181 // An Condition restricts the availability of permissions
8282 // to specific Cloud Storage objects. Optional.
8383 //
84- // A Condition can be used to make permissions available for specific objects,
84+ // A Condition can be used to make permissions available for specific objects,
8585 // rather than all objects in a Cloud Storage bucket.
8686 Condition * AvailabilityCondition `json:"availabilityCondition,omitempty"`
8787}
@@ -183,9 +183,9 @@ func (dts downscopingTokenSource) Token() (*oauth2.Token, error) {
183183 if resp .StatusCode != http .StatusOK {
184184 b , err := ioutil .ReadAll (resp .Body )
185185 if err != nil {
186- return nil , fmt .Errorf ("downscope: unable to exchange token; %v. Failed to read response body: %v" , resp .StatusCode , err )
186+ return nil , fmt .Errorf ("downscope: unable to exchange token; %v. Failed to read response body: %v" , resp .StatusCode , err )
187187 }
188- return nil , fmt .Errorf ("downscope: unable to exchange token; %v. Server responsed: %v" , resp .StatusCode , string (b ))
188+ return nil , fmt .Errorf ("downscope: unable to exchange token; %v. Server responsed: %v" , resp .StatusCode , string (b ))
189189 }
190190
191191 var tresp downscopedTokenResponse
0 commit comments