Add Postgres Cloud SQL support (#5941)

api/types/databaseserver.go

@@ -64,12 +64,16 @@ type DatabaseServer interface {
 	GetURI() string
 	// GetCA returns the database CA certificate bytes.
 	GetCA() []byte
-	// GetRegion returns the AWS region for RDS/Aurora databases.
-	GetRegion() string
+	// GetAWS returns AWS information for RDS/Aurora databases.
+	GetAWS() AWS
+	// GetGCP returns GCP information for Cloud SQL databases.
+	GetGCP() GCPCloudSQL
 	// GetType returns the database type, self-hosted or AWS RDS.
 	GetType() string
 	// IsRDS returns true if this is an RDS/Aurora database.
 	IsRDS() bool
+	// IsCloudSQL returns true if this is a Cloud SQL database.
+	IsCloudSQL() bool
 	// CheckAndSetDefaults checks and set default values for any missing fields.
 	CheckAndSetDefaults() error
 	// Copy returns a copy of this database server object.
@@ -235,9 +239,14 @@ func (s *DatabaseServerV3) GetCA() []byte {
 	return s.Spec.CACert
 }
 
-// GetRegion returns the AWS region for RDS/Aurora databases.
-func (s *DatabaseServerV3) GetRegion() string {
-	return s.Spec.AWS.Region
+// GetAWS returns AWS information for RDS/Aurora databases.
+func (s *DatabaseServerV3) GetAWS() AWS {
+	return s.Spec.AWS
+}
+
+// GetGCP returns GCP information for Cloud SQL databases.
+func (s *DatabaseServerV3) GetGCP() GCPCloudSQL {
+	return s.Spec.GCP
 }
 
 // IsRDS returns true if this database represents AWS RDS/Aurora instance.
@@ -245,11 +254,19 @@ func (s *DatabaseServerV3) IsRDS() bool {
 	return s.GetType() == DatabaseTypeRDS
 }
 
+// IsCloudSQL returns true if this database is a Cloud SQL instance.
+func (s *DatabaseServerV3) IsCloudSQL() bool {
+	return s.GetType() == DatabaseTypeCloudSQL
+}
+
 // GetType returns the database type, self-hosted or AWS RDS.
 func (s *DatabaseServerV3) GetType() string {
 	if s.Spec.AWS.Region != "" {
 		return DatabaseTypeRDS
 	}
+	if s.Spec.GCP.ProjectID != "" {
+		return DatabaseTypeCloudSQL
+	}
 	return DatabaseTypeSelfHosted
 }
 
@@ -297,6 +314,8 @@ const (
 	DatabaseTypeSelfHosted = "self-hosted"
 	// DatabaseTypeRDS is AWS-hosted RDS or Aurora database.
 	DatabaseTypeRDS = "rds"
+	// DatabaseTypeCloudSQL is GCP-hosted Cloud SQL database.
+	DatabaseTypeCloudSQL = "gcp"
 )
 
 // SortedDatabaseServers implements sorter for database servers.
@@ -310,3 +329,26 @@ func (s SortedDatabaseServers) Less(i, j int) bool { return s[i].GetName() < s[j
 
 // Swap swaps two database servers.
 func (s SortedDatabaseServers) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
+
+// DatabaseServers is a list of database servers.
+type DatabaseServers []DatabaseServer
+
+// HasRDS returns true if an AWS RDS database is present among this list.
+func (s DatabaseServers) HasRDS() bool {
+	for _, d := range s {
+		if d.IsRDS() {
+			return true
+		}
+	}
+	return false
+}
+
+// HasGCP returns true if a GCP Cloud SQL database is present among this list.
+func (s DatabaseServers) HasGCP() bool {
+	for _, d := range s {
+		if d.IsCloudSQL() {
+			return true
+		}
+	}
+	return false
+}

api/types/types.proto

@@ -172,6 +172,8 @@ message DatabaseServerSpecV3 {
     // Rotation contains the server CA rotation information.
     Rotation Rotation = 10
         [ (gogoproto.nullable) = false, (gogoproto.jsontag) = "rotation,omitempty" ];
+    // GCP contains parameters specific to GCP Cloud SQL databases.
+    GCPCloudSQL GCP = 11 [ (gogoproto.nullable) = false, (gogoproto.jsontag) = "gcp,omitempty" ];
 }
 
 // AWS contains AWS specific settings such as region.
@@ -180,6 +182,14 @@ message AWS {
     string Region = 1 [ (gogoproto.jsontag) = "region,omitempty" ];
 }
 
+// GCPCloudSQL contains parameters specific to GCP Cloud SQL databases.
+message GCPCloudSQL {
+    // ProjectID is the GCP project ID the Cloud SQL instance resides in.
+    string ProjectID = 1 [ (gogoproto.jsontag) = "project_id,omitempty" ];
+    // InstanceID is the Cloud SQL instance ID.
+    string InstanceID = 2 [ (gogoproto.jsontag) = "instance_id,omitempty" ];
+}
+
 // ServerV2 represents a Node, App, Database, Proxy or Auth server in a Teleport cluster.
 message ServerV2 {
     option (gogoproto.goproto_stringer) = false;

go.mod

@@ -3,7 +3,7 @@ module github.com/gravitational/teleport
 go 1.15
 
 require (
-	cloud.google.com/go v0.60.0 // indirect
+	cloud.google.com/go v0.60.0
 	cloud.google.com/go/firestore v1.2.0
 	cloud.google.com/go/storage v1.10.0
 	github.com/HdrHistogram/hdrhistogram-go v1.0.1
@@ -113,6 +113,7 @@ require (
 	gopkg.in/square/go-jose.v2 v2.5.1
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	honnef.co/go/tools v0.0.1-2020.1.5 // indirect
 	k8s.io/api v0.0.0-20200821051526-051d027c14e1
 	k8s.io/apimachinery v0.20.4
 	k8s.io/client-go v0.0.0-20200827131824-5d33118d4742

go.sum

@@ -1073,8 +1073,9 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+honnef.co/go/tools v0.0.1-2020.1.5 h1:nI5egYTGJakVyOryqLs1cQO5dO0ksin5XXs2pspk75k=
+honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 k8s.io/api v0.0.0-20200821051526-051d027c14e1 h1:tnYGRPNJuQuYUOaO2iTnU5BE4MXCrR495liacfqJLOg=
 k8s.io/api v0.0.0-20200821051526-051d027c14e1/go.mod h1:6DKPkNII5GHfkmzU2WRXuDEJXvErpzTgkC/GRlsMFOQ=
 k8s.io/apimachinery v0.0.0-20200821051348-9254095ca5ca/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=

lib/config/configuration.go

@@ -848,6 +848,10 @@ func applyDatabasesConfig(fc *FileConfig, cfg *service.Config) error {
 			AWS: service.DatabaseAWS{
 				Region: database.AWS.Region,
 			},
+			GCP: service.DatabaseGCP{
+				ProjectID:  database.GCP.ProjectID,
+				InstanceID: database.GCP.InstanceID,
+			},
 		}
 		if err := db.Check(); err != nil {
 			return trace.Wrap(err)

lib/config/fileconf.go

@@ -906,6 +906,8 @@ type Database struct {
 	DynamicLabels []CommandLabel `yaml:"dynamic_labels,omitempty"`
 	// AWS contains AWS specific settings for RDS/Aurora databases.
 	AWS DatabaseAWS `yaml:"aws"`
+	// GCP contains GCP specific settings for Cloud SQL databases.
+	GCP DatabaseGCP `yaml:"gcp"`
 }
 
 // DatabaseAWS contains AWS specific settings for RDS/Aurora databases.
@@ -914,6 +916,14 @@ type DatabaseAWS struct {
 	Region string `yaml:"region,omitempty"`
 }
 
+// DatabaseGCP contains GCP specific settings for Cloud SQL databases.
+type DatabaseGCP struct {
+	// ProjectID is the GCP project ID where the database is deployed.
+	ProjectID string `yaml:"project_id,omitempty"`
+	// InstanceID is the Cloud SQL database instance ID.
+	InstanceID string `yaml:"instance_id,omitempty"`
+}
+
 // Apps represents the configuration for the collection of applications this
 // service will start. In file configuration this would be the "app_service"
 // section.

lib/service/cfg.go

@@ -559,6 +559,8 @@ type Database struct {
 	CACert []byte
 	// AWS contains AWS specific settings for RDS/Aurora.
 	AWS DatabaseAWS
+	// GCP contains GCP specific settings for Cloud SQL.
+	GCP DatabaseGCP
 }
 
 // DatabaseAWS contains AWS specific settings for RDS/Aurora databases.
@@ -567,6 +569,14 @@ type DatabaseAWS struct {
 	Region string
 }
 
+// DatabaseGCP contains GCP specific settings for Cloud SQL databases.
+type DatabaseGCP struct {
+	// ProjectID is the GCP project ID where the database is deployed.
+	ProjectID string
+	// InstanceID is the Cloud SQL instance ID.
+	InstanceID string
+}
+
 // Check validates the database proxy configuration.
 func (d *Database) Check() error {
 	if d.Name == "" {
@@ -592,6 +602,26 @@ func (d *Database) Check() error {
 				d.Name, err)
 		}
 	}
+	// Validate Cloud SQL specific configuration.
+	switch {
+	case d.GCP.ProjectID != "" && d.GCP.InstanceID == "":
+		return trace.BadParameter("missing Cloud SQL instance ID for database %q", d.Name)
+	case d.GCP.ProjectID == "" && d.GCP.InstanceID != "":
+		return trace.BadParameter("missing Cloud SQL project ID for database %q", d.Name)
+	case d.GCP.ProjectID != "" && d.GCP.InstanceID != "":
+		// Only Postgres Cloud SQL instances currently support IAM authentication.
+		// It's a relatively new feature so we'll be able to enable it once it
+		// expands to MySQL as well:
+		//   https://cloud.google.com/sql/docs/postgres/authentication
+		if d.Protocol != defaults.ProtocolPostgres {
+			return trace.BadParameter("Cloud SQL IAM authentication is currently supported only for PostgreSQL databases, can't use database %q with protocol %q", d.Name, d.Protocol)
+		}
+		// TODO(r0mant): See if we can download it automatically similar to RDS:
+		// https://cloud.google.com/sql/docs/postgres/instance-info#rest-v1beta4
+		if len(d.CACert) == 0 {
+			return trace.BadParameter("missing Cloud SQL instance root certificate for database %q", d.Name)
+		}
+	}
 	return nil
 }
 

lib/service/cfg_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/gravitational/teleport/lib/backend/lite"
 	"github.com/gravitational/teleport/lib/defaults"
+	"github.com/gravitational/teleport/lib/fixtures"
 	"github.com/gravitational/teleport/lib/utils"
 
 	"github.com/stretchr/testify/require"
@@ -201,6 +202,73 @@ func TestCheckDatabase(t *testing.T) {
 			},
 			outErr: true,
 		},
+		{
+			desc: "GCP valid configuration",
+			inDatabase: Database{
+				Name:     "example",
+				Protocol: defaults.ProtocolPostgres,
+				URI:      "localhost:5432",
+				GCP: DatabaseGCP{
+					ProjectID:  "project-1",
+					InstanceID: "instance-1",
+				},
+				CACert: fixtures.LocalhostCert,
+			},
+			outErr: false,
+		},
+		{
+			desc: "GCP project ID specified without instance ID",
+			inDatabase: Database{
+				Name:     "example",
+				Protocol: defaults.ProtocolPostgres,
+				URI:      "localhost:5432",
+				GCP: DatabaseGCP{
+					ProjectID: "project-1",
+				},
+				CACert: fixtures.LocalhostCert,
+			},
+			outErr: true,
+		},
+		{
+			desc: "GCP instance ID specified without project ID",
+			inDatabase: Database{
+				Name:     "example",
+				Protocol: defaults.ProtocolPostgres,
+				URI:      "localhost:5432",
+				GCP: DatabaseGCP{
+					InstanceID: "instance-1",
+				},
+				CACert: fixtures.LocalhostCert,
+			},
+			outErr: true,
+		},
+		{
+			desc: "GCP root cert missing",
+			inDatabase: Database{
+				Name:     "example",
+				Protocol: defaults.ProtocolPostgres,
+				URI:      "localhost:5432",
+				GCP: DatabaseGCP{
+					ProjectID:  "project-1",
+					InstanceID: "instance-1",
+				},
+			},
+			outErr: true,
+		},
+		{
+			desc: "GCP unsupported for MySQL",
+			inDatabase: Database{
+				Name:     "example",
+				Protocol: defaults.ProtocolMySQL,
+				URI:      "localhost:3306",
+				GCP: DatabaseGCP{
+					ProjectID:  "project-1",
+					InstanceID: "instance-1",
+				},
+				CACert: fixtures.LocalhostCert,
+			},
+			outErr: true,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {

lib/service/db.go

@@ -93,6 +93,7 @@ func (process *TeleportProcess) initDatabaseService() (retErr error) {
 				URI:           db.URI,
 				CACert:        db.CACert,
 				AWS:           types.AWS{Region: db.AWS.Region},
+				GCP:           types.GCPCloudSQL{ProjectID: db.GCP.ProjectID, InstanceID: db.GCP.InstanceID},
 				DynamicLabels: types.LabelsToV2(db.DynamicLabels),
 				Version:       teleport.Version,
 				Hostname:      process.Config.Hostname,

lib/services/databaseserver.go

@@ -40,6 +40,14 @@ const DatabaseServerSpecV3Schema = `{
 		  "region": {"type": "string"}
 		}
 	  },
+	  "gcp": {
+		"type": "object",
+		"additionalProperties": false,
+		"properties": {
+		  "project_id": {"type": "string"},
+		  "instance_id": {"type": "string"}
+		}
+	  },
 	  "version": {"type": "string"},
 	  "hostname": {"type": "string"},
 	  "host_id": {"type": "string"},

lib/srv/db/aws.go

@@ -33,14 +33,14 @@ import (
 func (s *Server) initRDSRootCert(ctx context.Context, server types.DatabaseServer) error {
 	// If this is not an AWS database, or CA was set explicitly, or it was
 	// already loaded, then nothing to do.
-	if server.GetType() != types.DatabaseTypeRDS || len(server.GetCA()) != 0 || len(s.rdsCACerts[server.GetRegion()]) != 0 {
+	if server.GetType() != types.DatabaseTypeRDS || len(server.GetCA()) != 0 || len(s.rdsCACerts[server.GetAWS().Region]) != 0 {
 		return nil
 	}
 	// This is a RDS/Aurora instance and CA certificate wasn't explicitly
 	// provided, so try to download it from AWS (or see if it's already
 	// been downloaded).
 	downloadURL := rdsDefaultCAURL
-	if u, ok := rdsCAURLs[server.GetRegion()]; ok {
+	if u, ok := rdsCAURLs[server.GetAWS().Region]; ok {
 		downloadURL = u
 	}
 	bytes, err := s.ensureRDSRootCert(downloadURL)
@@ -53,7 +53,7 @@ func (s *Server) initRDSRootCert(ctx context.Context, server types.DatabaseServe
 		return trace.Wrap(err, "RDS root certificate for %v doesn't appear to be a valid x509 certificate: %s",
 			server, bytes)
 	}
-	s.rdsCACerts[server.GetRegion()] = bytes
+	s.rdsCACerts[server.GetAWS().Region] = bytes
 	return nil
 }
 

lib/srv/db/common/auth.go

@@ -21,6 +21,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"fmt"
 
 	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/lib/auth"
@@ -31,6 +32,10 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/service/rds/rdsutils"
+
+	gcpcredentials "cloud.google.com/go/iam/credentials/apiv1"
+	gcpcredentialspb "google.golang.org/genproto/googleapis/iam/credentials/v1"
+
 	"github.com/gravitational/trace"
 	"github.com/jonboulle/clockwork"
 	"github.com/sirupsen/logrus"
@@ -40,8 +45,12 @@ import (
 type AuthConfig struct {
 	// AuthClient is the cluster auth client.
 	AuthClient *auth.Client
-	// Credentials are the AWS credentials used to generate RDS auth tokens.
-	Credentials *credentials.Credentials
+	// AWSCredentials are the AWS credentials used to generate RDS auth tokens.
+	// May be empty when not proxying any RDS databases.
+	AWSCredentials *credentials.Credentials
+	// GCPIAM is the GCP IAM client used to generate GCP auth tokens.
+	// May be empty when not proxying any Cloud SQL databases.
+	GCPIAM *gcpcredentials.IamCredentialsClient
 	// RDSCACerts contains AWS RDS root certificates.
 	RDSCACerts map[string][]byte
 	// Clock is the clock implementation.
@@ -55,9 +64,6 @@ func (c *AuthConfig) CheckAndSetDefaults() error {
 	if c.AuthClient == nil {
 		return trace.BadParameter("missing AuthClient")
 	}
-	if c.Credentials == nil {
-		return trace.BadParameter("missing Credentials")
-	}
 	if c.Clock == nil {
 		c.Clock = clockwork.NewRealClock()
 	}
@@ -86,12 +92,46 @@ func NewAuth(config AuthConfig) (*Auth, error) {
 // GetRDSAuthToken returns authorization token that will be used as a password
 // when connecting to RDS and Aurora databases.
 func (a *Auth) GetRDSAuthToken(sessionCtx *Session) (string, error) {
-	a.cfg.Log.Debugf("Generating auth token for %s.", sessionCtx)
+	if a.cfg.AWSCredentials == nil {
+		return "", trace.BadParameter("AWS IAM client is not initialized")
+	}
+	a.cfg.Log.Debugf("Generating RDS auth token for %s.", sessionCtx)
 	return rdsutils.BuildAuthToken(
 		sessionCtx.Server.GetURI(),
-		sessionCtx.Server.GetRegion(),
+		sessionCtx.Server.GetAWS().Region,
 		sessionCtx.DatabaseUser,
-		a.cfg.Credentials)
+		a.cfg.AWSCredentials)
+}
+
+// GetCloudSQLAuthToken returns authorization token that will be used as a
+// password when connecting to Cloud SQL databases.
+func (a *Auth) GetCloudSQLAuthToken(ctx context.Context, sessionCtx *Session) (string, error) {
+	if a.cfg.GCPIAM == nil {
+		return "", trace.BadParameter("GCP IAM client is not initialized")
+	}
+	a.cfg.Log.Debugf("Generating GCP auth token for %s.", sessionCtx)
+	resp, err := a.cfg.GCPIAM.GenerateAccessToken(ctx,
+		&gcpcredentialspb.GenerateAccessTokenRequest{
+			// From GenerateAccessToken docs:
+			//
+			// The resource name of the service account for which the credentials
+			// are requested, in the following format:
+			//   projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}
+			Name: fmt.Sprintf("projects/-/serviceAccounts/%v.gserviceaccount.com", sessionCtx.DatabaseUser),
+			// From GenerateAccessToken docs:
+			//
+			// Code to identify the scopes to be included in the OAuth 2.0 access
+			// token:
+			//   https://developers.google.com/identity/protocols/oauth2/scopes
+			//   https://developers.google.com/identity/protocols/oauth2/scopes#sqladmin
+			Scope: []string{
+				"https://www.googleapis.com/auth/sqlservice.admin",
+			},
+		})
+	if err != nil {
+		return "", trace.Wrap(err)
+	}
+	return resp.AccessToken, nil
 }
 
 // GetTLSConfig builds the client TLS configuration for the session.
@@ -115,7 +155,7 @@ func (a *Auth) GetTLSConfig(ctx context.Context, sessionCtx *Session) (*tls.Conf
 			return nil, trace.BadParameter("invalid server CA certificate")
 		}
 	} else if sessionCtx.Server.IsRDS() {
-		if rdsCA, ok := a.cfg.RDSCACerts[sessionCtx.Server.GetRegion()]; ok {
+		if rdsCA, ok := a.cfg.RDSCACerts[sessionCtx.Server.GetAWS().Region]; ok {
 			if !tlsConfig.RootCAs.AppendCertsFromPEM(rdsCA) {
 				return nil, trace.BadParameter("invalid RDS CA certificate")
 			}
@@ -123,9 +163,37 @@ func (a *Auth) GetTLSConfig(ctx context.Context, sessionCtx *Session) (*tls.Conf
 			a.cfg.Log.Warnf("No RDS CA certificate for %v.", sessionCtx.Server)
 		}
 	}
-	// RDS/Aurora auth is done via an auth token so don't generate a client
-	// certificate and exit here.
-	if sessionCtx.Server.IsRDS() {
+	// You connect to Cloud SQL instances by IP and the certificate presented
+	// by the instance does not contain IP SANs so the default "full" certificate
+	// verification will always fail.
+	//
+	// In the docs they recommend disabling hostname verification when connecting
+	// e.g. with psql (verify-ca mode) reasoning that it's not required since
+	// CA is instance-specific:
+	//   https://cloud.google.com/sql/docs/postgres/connect-admin-ip
+	//
+	// They do encode <project-id>:<instance-id> in the CN field, which also
+	// wouldn't validate by default since CN has been deprecated and server
+	// name verification ignores it starting from Go 1.15.
+	//
+	// For this reason we're setting ServerName to <project-id>:<instance-id>,
+	// disabling default certificate verification and validating it ourselves.
+	//
+	// See the following Go issue for more context:
+	//   https://github.com/golang/go/issues/40748
+	if sessionCtx.Server.IsCloudSQL() {
+		// Cloud SQL server presented certificates encode instance names as
+		// "<project-id>:<instance-id>" in CommonName. This is verified against
+		// the ServerName in a custom connection verification step (see below).
+		tlsConfig.ServerName = fmt.Sprintf("%v:%v", sessionCtx.Server.GetGCP().ProjectID, sessionCtx.Server.GetGCP().InstanceID)
+		// This just disables default verification.
+		tlsConfig.InsecureSkipVerify = true
+		// This will verify CN and cert chain on each connection.
+		tlsConfig.VerifyConnection = getVerifyCloudSQLCertificate(tlsConfig.RootCAs)
+	}
+	// RDS/Aurora and Cloud SQL auth is done with an auth token so don't
+	// generate a client certificate and exit here.
+	if sessionCtx.Server.IsRDS() || sessionCtx.Server.IsCloudSQL() {
 		return tlsConfig, nil
 	}
 	// Otherwise, when connecting to an onprem database, generate a client
@@ -179,3 +247,25 @@ func (a *Auth) getClientCert(ctx context.Context, sessionCtx *Session) (cert *tl
 func (a *Auth) GetAuthPreference() (services.AuthPreference, error) {
 	return a.cfg.AuthClient.GetAuthPreference()
 }
+
+// getVerifyCloudSQLCertificate returns a function that performs verification
+// of server certificate presented by a Cloud SQL database instance.
+func getVerifyCloudSQLCertificate(roots *x509.CertPool) func(tls.ConnectionState) error {
+	return func(cs tls.ConnectionState) error {
+		if len(cs.PeerCertificates) < 1 {
+			return trace.AccessDenied("Cloud SQL instance didn't present a certificate")
+		}
+		// CN has been deprecated for a while, but Cloud SQL instances still use
+		// it to encode instance name in the form of <project-id>:<instance-id>.
+		commonName := cs.PeerCertificates[0].Subject.CommonName
+		if commonName != cs.ServerName {
+			return trace.AccessDenied("Cloud SQL certificate CommonName validation failed: expected %q, got %q", cs.ServerName, commonName)
+		}
+		opts := x509.VerifyOptions{Roots: roots, Intermediates: x509.NewCertPool()}
+		for _, cert := range cs.PeerCertificates[1:] {
+			opts.Intermediates.AddCert(cert)
+		}
+		_, err := cs.PeerCertificates[0].Verify(opts)
+		return err
+	}
+}

lib/srv/db/postgres/engine.go

@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"net"
 
+	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/srv/db/common"
 
@@ -339,13 +340,19 @@ func (e *Engine) getConnectConfig(ctx context.Context, sessionCtx *common.Sessio
 	config.Fallbacks = nil
 	// Set startup parameters that the client sent us.
 	config.RuntimeParams = sessionCtx.StartupParameters
-	// RDS/Aurora use IAM authentication so request an auth token and
-	// use it as a password.
-	if sessionCtx.Server.IsRDS() {
+	// AWS RDS/Aurora and GCP Cloud SQL use IAM authentication so request an
+	// auth token and use it as a password.
+	switch sessionCtx.Server.GetType() {
+	case types.DatabaseTypeRDS:
 		config.Password, err = e.Auth.GetRDSAuthToken(sessionCtx)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
+	case types.DatabaseTypeCloudSQL:
+		config.Password, err = e.Auth.GetCloudSQLAuthToken(ctx, sessionCtx)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
 	}
 	// TLS config will use client certificate for an onprem database or
 	// will contain RDS root certificate for RDS/Aurora.

lib/srv/db/server.go

@@ -35,8 +35,10 @@ import (
 	"github.com/gravitational/teleport/lib/srv/db/postgres"
 	"github.com/gravitational/teleport/lib/utils"
 
+	gcpcredentials "cloud.google.com/go/iam/credentials/apiv1"
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	awssession "github.com/aws/aws-sdk-go/aws/session"
+
 	"github.com/gravitational/trace"
 	"github.com/jonboulle/clockwork"
 	"github.com/pborman/uuid"
@@ -62,16 +64,18 @@ type Config struct {
 	// GetRotation returns the certificate rotation state.
 	GetRotation func(role teleport.Role) (*services.Rotation, error)
 	// Servers contains a list of database servers this service proxies.
-	Servers []types.DatabaseServer
-	// Credentials are credentials to AWS API.
-	Credentials *credentials.Credentials
+	Servers types.DatabaseServers
+	// AWSCredentials are credentials to AWS API.
+	AWSCredentials *credentials.Credentials
+	// GCPIAM is the GCP IAM client.
+	GCPIAM *gcpcredentials.IamCredentialsClient
 	// OnHeartbeat is called after every heartbeat. Used to update process state.
 	OnHeartbeat func(error)
 }
 
 // CheckAndSetDefaults makes sure the configuration has the minimum required
 // to function.
-func (c *Config) CheckAndSetDefaults() error {
+func (c *Config) CheckAndSetDefaults(ctx context.Context) error {
 	if c.Clock == nil {
 		c.Clock = clockwork.NewRealClock()
 	}
@@ -99,14 +103,23 @@ func (c *Config) CheckAndSetDefaults() error {
 	if len(c.Servers) == 0 {
 		return trace.BadParameter("missing Servers")
 	}
-	if c.Credentials == nil {
+	// Only initialize AWS session if this service is proxying any RDS databases.
+	if c.AWSCredentials == nil && c.Servers.HasRDS() {
 		session, err := awssession.NewSessionWithOptions(awssession.Options{
 			SharedConfigState: awssession.SharedConfigEnable,
 		})
 		if err != nil {
 			return trace.Wrap(err)
 		}
-		c.Credentials = session.Config.Credentials
+		c.AWSCredentials = session.Config.Credentials
+	}
+	// Only initialize GCP IAM client if this service is proxying any Cloud SQL databases.
+	if c.GCPIAM == nil && c.Servers.HasGCP() {
+		iamClient, err := gcpcredentials.NewIamCredentialsClient(ctx)
+		if err != nil {
+			return trace.Wrap(err)
+		}
+		c.GCPIAM = iamClient
 	}
 	return nil
 }
@@ -136,7 +149,7 @@ type Server struct {
 
 // New returns a new database server.
 func New(ctx context.Context, config Config) (*Server, error) {
-	err := config.CheckAndSetDefaults()
+	err := config.CheckAndSetDefaults(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -273,6 +286,10 @@ func (s *Server) Close() error {
 	for _, heartbeat := range s.heartbeats {
 		errors = append(errors, heartbeat.Close())
 	}
+	// Close the GCP IAM client if needed.
+	if s.cfg.GCPIAM != nil {
+		errors = append(errors, s.cfg.GCPIAM.Close())
+	}
 	return trace.NewAggregate(errors...)
 }
 
@@ -355,10 +372,11 @@ func (s *Server) handleConnection(ctx context.Context, conn net.Conn) error {
 // dispatch returns an appropriate database engine for the session.
 func (s *Server) dispatch(sessionCtx *common.Session, streamWriter events.StreamWriter) (common.Engine, error) {
 	auth, err := common.NewAuth(common.AuthConfig{
-		AuthClient:  s.cfg.AuthClient,
-		Credentials: s.cfg.Credentials,
-		RDSCACerts:  s.rdsCACerts,
-		Clock:       s.cfg.Clock,
+		AuthClient:     s.cfg.AuthClient,
+		AWSCredentials: s.cfg.AWSCredentials,
+		GCPIAM:         s.cfg.GCPIAM,
+		RDSCACerts:     s.rdsCACerts,
+		Clock:          s.cfg.Clock,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)

vendor/cloud.google.com/go/iam/credentials/apiv1/doc.go

@@ -0,0 +1,105 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by protoc-gen-go_gapic. DO NOT EDIT.
+
+// Package credentials is an auto-generated package for the
+// IAM Service Account Credentials API.
+//
+// Creates short-lived, limited-privilege credentials for IAM service
+// accounts.
+//
+// Use of Context
+//
+// The ctx passed to NewClient is used for authentication requests and
+// for creating the underlying connection, but is not used for subsequent calls.
+// Individual methods on the client use the ctx given to them.
+//
+// To close the open connection, use the Close() method.
+//
+// For information about setting deadlines, reusing contexts, and more
+// please visit godoc.org/cloud.google.com/go.
+package credentials // import "cloud.google.com/go/iam/credentials/apiv1"
+
+import (
+	"context"
+	"runtime"
+	"strings"
+	"unicode"
+
+	"google.golang.org/api/option"
+	"google.golang.org/grpc/metadata"
+)
+
+// For more information on implementing a client constructor hook, see
+// https://github.com/googleapis/google-cloud-go/wiki/Customizing-constructors.
+type clientHookParams struct{}
+type clientHook func(context.Context, clientHookParams) ([]option.ClientOption, error)
+
+const versionClient = "20200629"
+
+func insertMetadata(ctx context.Context, mds ...metadata.MD) context.Context {
+	out, _ := metadata.FromOutgoingContext(ctx)
+	out = out.Copy()
+	for _, md := range mds {
+		for k, v := range md {
+			out[k] = append(out[k], v...)
+		}
+	}
+	return metadata.NewOutgoingContext(ctx, out)
+}
+
+// DefaultAuthScopes reports the default set of authentication scopes to use with this package.
+func DefaultAuthScopes() []string {
+	return []string{
+		"https://www.googleapis.com/auth/cloud-platform",
+	}
+}
+
+// versionGo returns the Go runtime version. The returned string
+// has no whitespace, suitable for reporting in header.
+func versionGo() string {
+	const develPrefix = "devel +"
+
+	s := runtime.Version()
+	if strings.HasPrefix(s, develPrefix) {
+		s = s[len(develPrefix):]
+		if p := strings.IndexFunc(s, unicode.IsSpace); p >= 0 {
+			s = s[:p]
+		}
+		return s
+	}
+
+	notSemverRune := func(r rune) bool {
+		return !strings.ContainsRune("0123456789.", r)
+	}
+
+	if strings.HasPrefix(s, "go1") {
+		s = s[2:]
+		var prerelease string
+		if p := strings.IndexFunc(s, notSemverRune); p >= 0 {
+			s, prerelease = s[:p], s[p:]
+		}
+		if strings.HasSuffix(s, ".") {
+			s += "0"
+		} else if strings.Count(s, ".") < 2 {
+			s += ".0"
+		}
+		if prerelease != "" {
+			s += "-" + prerelease
+		}
+		return s
+	}
+	return "UNKNOWN"
+}

vendor/cloud.google.com/go/iam/credentials/apiv1/iam_credentials_client.go

@@ -0,0 +1,250 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by protoc-gen-go_gapic. DO NOT EDIT.
+
+package credentials
+
+import (
+	"context"
+	"fmt"
+	"math"
+	"net/url"
+	"time"
+
+	gax "github.com/googleapis/gax-go/v2"
+	"google.golang.org/api/option"
+	gtransport "google.golang.org/api/transport/grpc"
+	credentialspb "google.golang.org/genproto/googleapis/iam/credentials/v1"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+)
+
+var newIamCredentialsClientHook clientHook
+
+// IamCredentialsCallOptions contains the retry settings for each method of IamCredentialsClient.
+type IamCredentialsCallOptions struct {
+	GenerateAccessToken []gax.CallOption
+	GenerateIdToken     []gax.CallOption
+	SignBlob            []gax.CallOption
+	SignJwt             []gax.CallOption
+}
+
+func defaultIamCredentialsClientOptions() []option.ClientOption {
+	return []option.ClientOption{
+		option.WithEndpoint("iamcredentials.googleapis.com:443"),
+		option.WithGRPCDialOption(grpc.WithDisableServiceConfig()),
+		option.WithScopes(DefaultAuthScopes()...),
+		option.WithGRPCDialOption(grpc.WithDefaultCallOptions(
+			grpc.MaxCallRecvMsgSize(math.MaxInt32))),
+	}
+}
+
+func defaultIamCredentialsCallOptions() *IamCredentialsCallOptions {
+	return &IamCredentialsCallOptions{
+		GenerateAccessToken: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		GenerateIdToken: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		SignBlob: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+		SignJwt: []gax.CallOption{
+			gax.WithRetry(func() gax.Retryer {
+				return gax.OnCodes([]codes.Code{
+					codes.Unavailable,
+					codes.DeadlineExceeded,
+				}, gax.Backoff{
+					Initial:    100 * time.Millisecond,
+					Max:        60000 * time.Millisecond,
+					Multiplier: 1.30,
+				})
+			}),
+		},
+	}
+}
+
+// IamCredentialsClient is a client for interacting with IAM Service Account Credentials API.
+//
+// Methods, except Close, may be called concurrently. However, fields must not be modified concurrently with method calls.
+type IamCredentialsClient struct {
+	// Connection pool of gRPC connections to the service.
+	connPool gtransport.ConnPool
+
+	// The gRPC API client.
+	iamCredentialsClient credentialspb.IAMCredentialsClient
+
+	// The call options for this service.
+	CallOptions *IamCredentialsCallOptions
+
+	// The x-goog-* metadata to be sent with each request.
+	xGoogMetadata metadata.MD
+}
+
+// NewIamCredentialsClient creates a new iam credentials client.
+//
+// A service account is a special type of Google account that belongs to your
+// application or a virtual machine (VM), instead of to an individual end user.
+// Your application assumes the identity of the service account to call Google
+// APIs, so that the users aren’t directly involved.
+//
+// Service account credentials are used to temporarily assume the identity
+// of the service account. Supported credential types include OAuth 2.0 access
+// tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and
+// more.
+func NewIamCredentialsClient(ctx context.Context, opts ...option.ClientOption) (*IamCredentialsClient, error) {
+	clientOpts := defaultIamCredentialsClientOptions()
+
+	if newIamCredentialsClientHook != nil {
+		hookOpts, err := newIamCredentialsClientHook(ctx, clientHookParams{})
+		if err != nil {
+			return nil, err
+		}
+		clientOpts = append(clientOpts, hookOpts...)
+	}
+
+	connPool, err := gtransport.DialPool(ctx, append(clientOpts, opts...)...)
+	if err != nil {
+		return nil, err
+	}
+	c := &IamCredentialsClient{
+		connPool:    connPool,
+		CallOptions: defaultIamCredentialsCallOptions(),
+
+		iamCredentialsClient: credentialspb.NewIAMCredentialsClient(connPool),
+	}
+	c.setGoogleClientInfo()
+
+	return c, nil
+}
+
+// Connection returns a connection to the API service.
+//
+// Deprecated.
+func (c *IamCredentialsClient) Connection() *grpc.ClientConn {
+	return c.connPool.Conn()
+}
+
+// Close closes the connection to the API service. The user should invoke this when
+// the client is no longer required.
+func (c *IamCredentialsClient) Close() error {
+	return c.connPool.Close()
+}
+
+// setGoogleClientInfo sets the name and version of the application in
+// the `x-goog-api-client` header passed on each request. Intended for
+// use by Google-written clients.
+func (c *IamCredentialsClient) setGoogleClientInfo(keyval ...string) {
+	kv := append([]string{"gl-go", versionGo()}, keyval...)
+	kv = append(kv, "gapic", versionClient, "gax", gax.Version, "grpc", grpc.Version)
+	c.xGoogMetadata = metadata.Pairs("x-goog-api-client", gax.XGoogHeader(kv...))
+}
+
+// GenerateAccessToken generates an OAuth 2.0 access token for a service account.
+func (c *IamCredentialsClient) GenerateAccessToken(ctx context.Context, req *credentialspb.GenerateAccessTokenRequest, opts ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.GenerateAccessToken[0:len(c.CallOptions.GenerateAccessToken):len(c.CallOptions.GenerateAccessToken)], opts...)
+	var resp *credentialspb.GenerateAccessTokenResponse
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.iamCredentialsClient.GenerateAccessToken(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// GenerateIdToken generates an OpenID Connect ID token for a service account.
+func (c *IamCredentialsClient) GenerateIdToken(ctx context.Context, req *credentialspb.GenerateIdTokenRequest, opts ...gax.CallOption) (*credentialspb.GenerateIdTokenResponse, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.GenerateIdToken[0:len(c.CallOptions.GenerateIdToken):len(c.CallOptions.GenerateIdToken)], opts...)
+	var resp *credentialspb.GenerateIdTokenResponse
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.iamCredentialsClient.GenerateIdToken(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// SignBlob signs a blob using a service account’s system-managed private key.
+func (c *IamCredentialsClient) SignBlob(ctx context.Context, req *credentialspb.SignBlobRequest, opts ...gax.CallOption) (*credentialspb.SignBlobResponse, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.SignBlob[0:len(c.CallOptions.SignBlob):len(c.CallOptions.SignBlob)], opts...)
+	var resp *credentialspb.SignBlobResponse
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.iamCredentialsClient.SignBlob(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+// SignJwt signs a JWT using a service account’s system-managed private key.
+func (c *IamCredentialsClient) SignJwt(ctx context.Context, req *credentialspb.SignJwtRequest, opts ...gax.CallOption) (*credentialspb.SignJwtResponse, error) {
+	md := metadata.Pairs("x-goog-request-params", fmt.Sprintf("%s=%v", "name", url.QueryEscape(req.GetName())))
+	ctx = insertMetadata(ctx, c.xGoogMetadata, md)
+	opts = append(c.CallOptions.SignJwt[0:len(c.CallOptions.SignJwt):len(c.CallOptions.SignJwt)], opts...)
+	var resp *credentialspb.SignJwtResponse
+	err := gax.Invoke(ctx, func(ctx context.Context, settings gax.CallSettings) error {
+		var err error
+		resp, err = c.iamCredentialsClient.SignJwt(ctx, req, settings.GRPC...)
+		return err
+	}, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}

vendor/google.golang.org/genproto/googleapis/iam/credentials/v1/common.pb.go

@@ -0,0 +1,858 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.25.0
+// 	protoc        v3.13.0
+// source: google/iam/credentials/v1/common.proto
+
+package credentials
+
+import (
+	reflect "reflect"
+	sync "sync"
+
+	proto "github.com/golang/protobuf/proto"
+	_ "google.golang.org/genproto/googleapis/api/annotations"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	durationpb "google.golang.org/protobuf/types/known/durationpb"
+	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// This is a compile-time assertion that a sufficiently up-to-date version
+// of the legacy proto package is being used.
+const _ = proto.ProtoPackageIsVersion4
+
+type GenerateAccessTokenRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Required. The resource name of the service account for which the credentials
+	// are requested, in the following format:
+	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+	// character is required; replacing it with a project ID is invalid.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// The sequence of service accounts in a delegation chain. Each service
+	// account must be granted the `roles/iam.serviceAccountTokenCreator` role
+	// on its next service account in the chain. The last service account in the
+	// chain must be granted the `roles/iam.serviceAccountTokenCreator` role
+	// on the service account that is specified in the `name` field of the
+	// request.
+	//
+	// The delegates must have the following format:
+	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+	// character is required; replacing it with a project ID is invalid.
+	Delegates []string `protobuf:"bytes,2,rep,name=delegates,proto3" json:"delegates,omitempty"`
+	// Required. Code to identify the scopes to be included in the OAuth 2.0 access token.
+	// See https://developers.google.com/identity/protocols/googlescopes for more
+	// information.
+	// At least one value required.
+	Scope []string `protobuf:"bytes,4,rep,name=scope,proto3" json:"scope,omitempty"`
+	// The desired lifetime duration of the access token in seconds.
+	// Must be set to a value less than or equal to 3600 (1 hour). If a value is
+	// not specified, the token's lifetime will be set to a default value of one
+	// hour.
+	Lifetime *durationpb.Duration `protobuf:"bytes,7,opt,name=lifetime,proto3" json:"lifetime,omitempty"`
+}
+
+func (x *GenerateAccessTokenRequest) Reset() {
+	*x = GenerateAccessTokenRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_google_iam_credentials_v1_common_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GenerateAccessTokenRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GenerateAccessTokenRequest) ProtoMessage() {}
+
+func (x *GenerateAccessTokenRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_google_iam_credentials_v1_common_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GenerateAccessTokenRequest.ProtoReflect.Descriptor instead.
+func (*GenerateAccessTokenRequest) Descriptor() ([]byte, []int) {
+	return file_google_iam_credentials_v1_common_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *GenerateAccessTokenRequest) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *GenerateAccessTokenRequest) GetDelegates() []string {
+	if x != nil {
+		return x.Delegates
+	}
+	return nil
+}
+
+func (x *GenerateAccessTokenRequest) GetScope() []string {
+	if x != nil {
+		return x.Scope
+	}
+	return nil
+}
+
+func (x *GenerateAccessTokenRequest) GetLifetime() *durationpb.Duration {
+	if x != nil {
+		return x.Lifetime
+	}
+	return nil
+}
+
+type GenerateAccessTokenResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The OAuth 2.0 access token.
+	AccessToken string `protobuf:"bytes,1,opt,name=access_token,json=accessToken,proto3" json:"access_token,omitempty"`
+	// Token expiration time.
+	// The expiration time is always set.
+	ExpireTime *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=expire_time,json=expireTime,proto3" json:"expire_time,omitempty"`
+}
+
+func (x *GenerateAccessTokenResponse) Reset() {
+	*x = GenerateAccessTokenResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_google_iam_credentials_v1_common_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GenerateAccessTokenResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GenerateAccessTokenResponse) ProtoMessage() {}
+
+func (x *GenerateAccessTokenResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_google_iam_credentials_v1_common_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GenerateAccessTokenResponse.ProtoReflect.Descriptor instead.
+func (*GenerateAccessTokenResponse) Descriptor() ([]byte, []int) {
+	return file_google_iam_credentials_v1_common_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *GenerateAccessTokenResponse) GetAccessToken() string {
+	if x != nil {
+		return x.AccessToken
+	}
+	return ""
+}
+
+func (x *GenerateAccessTokenResponse) GetExpireTime() *timestamppb.Timestamp {
+	if x != nil {
+		return x.ExpireTime
+	}
+	return nil
+}
+
+type SignBlobRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Required. The resource name of the service account for which the credentials
+	// are requested, in the following format:
+	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+	// character is required; replacing it with a project ID is invalid.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// The sequence of service accounts in a delegation chain. Each service
+	// account must be granted the `roles/iam.serviceAccountTokenCreator` role
+	// on its next service account in the chain. The last service account in the
+	// chain must be granted the `roles/iam.serviceAccountTokenCreator` role
+	// on the service account that is specified in the `name` field of the
+	// request.
+	//
+	// The delegates must have the following format:
+	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+	// character is required; replacing it with a project ID is invalid.
+	Delegates []string `protobuf:"bytes,3,rep,name=delegates,proto3" json:"delegates,omitempty"`
+	// Required. The bytes to sign.
+	Payload []byte `protobuf:"bytes,5,opt,name=payload,proto3" json:"payload,omitempty"`
+}
+
+func (x *SignBlobRequest) Reset() {
+	*x = SignBlobRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_google_iam_credentials_v1_common_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SignBlobRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignBlobRequest) ProtoMessage() {}
+
+func (x *SignBlobRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_google_iam_credentials_v1_common_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignBlobRequest.ProtoReflect.Descriptor instead.
+func (*SignBlobRequest) Descriptor() ([]byte, []int) {
+	return file_google_iam_credentials_v1_common_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *SignBlobRequest) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *SignBlobRequest) GetDelegates() []string {
+	if x != nil {
+		return x.Delegates
+	}
+	return nil
+}
+
+func (x *SignBlobRequest) GetPayload() []byte {
+	if x != nil {
+		return x.Payload
+	}
+	return nil
+}
+
+type SignBlobResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The ID of the key used to sign the blob.
+	KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`
+	// The signed blob.
+	SignedBlob []byte `protobuf:"bytes,4,opt,name=signed_blob,json=signedBlob,proto3" json:"signed_blob,omitempty"`
+}
+
+func (x *SignBlobResponse) Reset() {
+	*x = SignBlobResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_google_iam_credentials_v1_common_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SignBlobResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignBlobResponse) ProtoMessage() {}
+
+func (x *SignBlobResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_google_iam_credentials_v1_common_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignBlobResponse.ProtoReflect.Descriptor instead.
+func (*SignBlobResponse) Descriptor() ([]byte, []int) {
+	return file_google_iam_credentials_v1_common_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *SignBlobResponse) GetKeyId() string {
+	if x != nil {
+		return x.KeyId
+	}
+	return ""
+}
+
+func (x *SignBlobResponse) GetSignedBlob() []byte {
+	if x != nil {
+		return x.SignedBlob
+	}
+	return nil
+}
+
+type SignJwtRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Required. The resource name of the service account for which the credentials
+	// are requested, in the following format:
+	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+	// character is required; replacing it with a project ID is invalid.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// The sequence of service accounts in a delegation chain. Each service
+	// account must be granted the `roles/iam.serviceAccountTokenCreator` role
+	// on its next service account in the chain. The last service account in the
+	// chain must be granted the `roles/iam.serviceAccountTokenCreator` role
+	// on the service account that is specified in the `name` field of the
+	// request.
+	//
+	// The delegates must have the following format:
+	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+	// character is required; replacing it with a project ID is invalid.
+	Delegates []string `protobuf:"bytes,3,rep,name=delegates,proto3" json:"delegates,omitempty"`
+	// Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
+	Payload string `protobuf:"bytes,5,opt,name=payload,proto3" json:"payload,omitempty"`
+}
+
+func (x *SignJwtRequest) Reset() {
+	*x = SignJwtRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_google_iam_credentials_v1_common_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SignJwtRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignJwtRequest) ProtoMessage() {}
+
+func (x *SignJwtRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_google_iam_credentials_v1_common_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignJwtRequest.ProtoReflect.Descriptor instead.
+func (*SignJwtRequest) Descriptor() ([]byte, []int) {
+	return file_google_iam_credentials_v1_common_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *SignJwtRequest) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *SignJwtRequest) GetDelegates() []string {
+	if x != nil {
+		return x.Delegates
+	}
+	return nil
+}
+
+func (x *SignJwtRequest) GetPayload() string {
+	if x != nil {
+		return x.Payload
+	}
+	return ""
+}
+
+type SignJwtResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The ID of the key used to sign the JWT.
+	KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`
+	// The signed JWT.
+	SignedJwt string `protobuf:"bytes,2,opt,name=signed_jwt,json=signedJwt,proto3" json:"signed_jwt,omitempty"`
+}
+
+func (x *SignJwtResponse) Reset() {
+	*x = SignJwtResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_google_iam_credentials_v1_common_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SignJwtResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignJwtResponse) ProtoMessage() {}
+
+func (x *SignJwtResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_google_iam_credentials_v1_common_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignJwtResponse.ProtoReflect.Descriptor instead.
+func (*SignJwtResponse) Descriptor() ([]byte, []int) {
+	return file_google_iam_credentials_v1_common_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *SignJwtResponse) GetKeyId() string {
+	if x != nil {
+		return x.KeyId
+	}
+	return ""
+}
+
+func (x *SignJwtResponse) GetSignedJwt() string {
+	if x != nil {
+		return x.SignedJwt
+	}
+	return ""
+}
+
+type GenerateIdTokenRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Required. The resource name of the service account for which the credentials
+	// are requested, in the following format:
+	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+	// character is required; replacing it with a project ID is invalid.
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// The sequence of service accounts in a delegation chain. Each service
+	// account must be granted the `roles/iam.serviceAccountTokenCreator` role
+	// on its next service account in the chain. The last service account in the
+	// chain must be granted the `roles/iam.serviceAccountTokenCreator` role
+	// on the service account that is specified in the `name` field of the
+	// request.
+	//
+	// The delegates must have the following format:
+	// `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
+	// character is required; replacing it with a project ID is invalid.
+	Delegates []string `protobuf:"bytes,2,rep,name=delegates,proto3" json:"delegates,omitempty"`
+	// Required. The audience for the token, such as the API or account that this token
+	// grants access to.
+	Audience string `protobuf:"bytes,3,opt,name=audience,proto3" json:"audience,omitempty"`
+	// Include the service account email in the token. If set to `true`, the
+	// token will contain `email` and `email_verified` claims.
+	IncludeEmail bool `protobuf:"varint,4,opt,name=include_email,json=includeEmail,proto3" json:"include_email,omitempty"`
+}
+
+func (x *GenerateIdTokenRequest) Reset() {
+	*x = GenerateIdTokenRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_google_iam_credentials_v1_common_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GenerateIdTokenRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GenerateIdTokenRequest) ProtoMessage() {}
+
+func (x *GenerateIdTokenRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_google_iam_credentials_v1_common_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GenerateIdTokenRequest.ProtoReflect.Descriptor instead.
+func (*GenerateIdTokenRequest) Descriptor() ([]byte, []int) {
+	return file_google_iam_credentials_v1_common_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *GenerateIdTokenRequest) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *GenerateIdTokenRequest) GetDelegates() []string {
+	if x != nil {
+		return x.Delegates
+	}
+	return nil
+}
+
+func (x *GenerateIdTokenRequest) GetAudience() string {
+	if x != nil {
+		return x.Audience
+	}
+	return ""
+}
+
+func (x *GenerateIdTokenRequest) GetIncludeEmail() bool {
+	if x != nil {
+		return x.IncludeEmail
+	}
+	return false
+}
+
+type GenerateIdTokenResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The OpenId Connect ID token.
+	Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
+}
+
+func (x *GenerateIdTokenResponse) Reset() {
+	*x = GenerateIdTokenResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_google_iam_credentials_v1_common_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GenerateIdTokenResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GenerateIdTokenResponse) ProtoMessage() {}
+
+func (x *GenerateIdTokenResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_google_iam_credentials_v1_common_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GenerateIdTokenResponse.ProtoReflect.Descriptor instead.
+func (*GenerateIdTokenResponse) Descriptor() ([]byte, []int) {
+	return file_google_iam_credentials_v1_common_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *GenerateIdTokenResponse) GetToken() string {
+	if x != nil {
+		return x.Token
+	}
+	return ""
+}
+
+var File_google_iam_credentials_v1_common_proto protoreflect.FileDescriptor
+
+var file_google_iam_credentials_v1_common_proto_rawDesc = []byte{
+	0x0a, 0x26, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x69, 0x61, 0x6d, 0x2f, 0x63, 0x72, 0x65,
+	0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x63, 0x6f, 0x6d, 0x6d,
+	0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
+	0x2e, 0x69, 0x61, 0x6d, 0x2e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73,
+	0x2e, 0x76, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f,
+	0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69,
+	0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a,
+	0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a,
+	0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x22, 0xcb, 0x01, 0x0a, 0x1a, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x41, 0x63, 0x63,
+	0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
+	0x3d, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x29, 0xe0,
+	0x41, 0x02, 0xfa, 0x41, 0x23, 0x0a, 0x21, 0x69, 0x61, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x61, 0x70, 0x69, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,
+	0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1c,
+	0x0a, 0x09, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
+	0x09, 0x52, 0x09, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x73, 0x12, 0x19, 0x0a, 0x05,
+	0x73, 0x63, 0x6f, 0x70, 0x65, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02,
+	0x52, 0x05, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x12, 0x35, 0x0a, 0x08, 0x6c, 0x69, 0x66, 0x65, 0x74,
+	0x69, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
+	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x52, 0x08, 0x6c, 0x69, 0x66, 0x65, 0x74, 0x69, 0x6d, 0x65, 0x22, 0x7d,
+	0x0a, 0x1b, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
+	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x21, 0x0a,
+	0x0c, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e,
+	0x12, 0x3b, 0x0a, 0x0b, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d,
+	0x70, 0x52, 0x0a, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x22, 0x8d, 0x01,
+	0x0a, 0x0f, 0x53, 0x69, 0x67, 0x6e, 0x42, 0x6c, 0x6f, 0x62, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x12, 0x3d, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42,
+	0x29, 0xe0, 0x41, 0x02, 0xfa, 0x41, 0x23, 0x0a, 0x21, 0x69, 0x61, 0x6d, 0x2e, 0x67, 0x6f, 0x6f,
+	0x67, 0x6c, 0x65, 0x61, 0x70, 0x69, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x53, 0x65, 0x72, 0x76,
+	0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65,
+	0x12, 0x1c, 0x0a, 0x09, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x73, 0x18, 0x03, 0x20,
+	0x03, 0x28, 0x09, 0x52, 0x09, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x73, 0x12, 0x1d,
+	0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c, 0x42,
+	0x03, 0xe0, 0x41, 0x02, 0x52, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x22, 0x4a, 0x0a,
+	0x10, 0x53, 0x69, 0x67, 0x6e, 0x42, 0x6c, 0x6f, 0x62, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x69, 0x67, 0x6e,
+	0x65, 0x64, 0x5f, 0x62, 0x6c, 0x6f, 0x62, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x73,
+	0x69, 0x67, 0x6e, 0x65, 0x64, 0x42, 0x6c, 0x6f, 0x62, 0x22, 0x8c, 0x01, 0x0a, 0x0e, 0x53, 0x69,
+	0x67, 0x6e, 0x4a, 0x77, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3d, 0x0a, 0x04,
+	0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x29, 0xe0, 0x41, 0x02, 0xfa,
+	0x41, 0x23, 0x0a, 0x21, 0x69, 0x61, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x61, 0x70,
+	0x69, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63,
+	0x63, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x64,
+	0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x09,
+	0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x73, 0x12, 0x1d, 0x0a, 0x07, 0x70, 0x61, 0x79,
+	0x6c, 0x6f, 0x61, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52,
+	0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x22, 0x47, 0x0a, 0x0f, 0x53, 0x69, 0x67, 0x6e,
+	0x4a, 0x77, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x15, 0x0a, 0x06, 0x6b,
+	0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x65, 0x79,
+	0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x6a, 0x77, 0x74,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x4a, 0x77,
+	0x74, 0x22, 0xbb, 0x01, 0x0a, 0x16, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x49, 0x64,
+	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3d, 0x0a, 0x04,
+	0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x29, 0xe0, 0x41, 0x02, 0xfa,
+	0x41, 0x23, 0x0a, 0x21, 0x69, 0x61, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x61, 0x70,
+	0x69, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63,
+	0x63, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x64,
+	0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x09,
+	0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x73, 0x12, 0x1f, 0x0a, 0x08, 0x61, 0x75, 0x64,
+	0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02,
+	0x52, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x69, 0x6e,
+	0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x08, 0x52, 0x0c, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x45, 0x6d, 0x61, 0x69, 0x6c, 0x22,
+	0x2f, 0x0a, 0x17, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x49, 0x64, 0x54, 0x6f, 0x6b,
+	0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f,
+	0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e,
+	0x42, 0x89, 0x02, 0x0a, 0x23, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
+	0x63, 0x6c, 0x6f, 0x75, 0x64, 0x2e, 0x69, 0x61, 0x6d, 0x2e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e,
+	0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x76, 0x31, 0x42, 0x19, 0x49, 0x41, 0x4d, 0x43, 0x72, 0x65,
+	0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x50, 0x72,
+	0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x44, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f,
+	0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x69, 0x61, 0x6d,
+	0x2f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2f, 0x76, 0x31, 0x3b,
+	0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0xf8, 0x01, 0x01, 0xaa, 0x02,
+	0x1f, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x43, 0x6c, 0x6f, 0x75, 0x64, 0x2e, 0x49, 0x61,
+	0x6d, 0x2e, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x56, 0x31,
+	0xea, 0x41, 0x59, 0x0a, 0x21, 0x69, 0x61, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x61,
+	0x70, 0x69, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41,
+	0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x34, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x73,
+	0x2f, 0x7b, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x7d, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69,
+	0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x73, 0x2f, 0x7b, 0x73, 0x65, 0x72, 0x76,
+	0x69, 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x7d, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_google_iam_credentials_v1_common_proto_rawDescOnce sync.Once
+	file_google_iam_credentials_v1_common_proto_rawDescData = file_google_iam_credentials_v1_common_proto_rawDesc
+)
+
+func file_google_iam_credentials_v1_common_proto_rawDescGZIP() []byte {
+	file_google_iam_credentials_v1_common_proto_rawDescOnce.Do(func() {
+		file_google_iam_credentials_v1_common_proto_rawDescData = protoimpl.X.CompressGZIP(file_google_iam_credentials_v1_common_proto_rawDescData)
+	})
+	return file_google_iam_credentials_v1_common_proto_rawDescData
+}
+
+var file_google_iam_credentials_v1_common_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
+var file_google_iam_credentials_v1_common_proto_goTypes = []interface{}{
+	(*GenerateAccessTokenRequest)(nil),  // 0: google.iam.credentials.v1.GenerateAccessTokenRequest
+	(*GenerateAccessTokenResponse)(nil), // 1: google.iam.credentials.v1.GenerateAccessTokenResponse
+	(*SignBlobRequest)(nil),             // 2: google.iam.credentials.v1.SignBlobRequest
+	(*SignBlobResponse)(nil),            // 3: google.iam.credentials.v1.SignBlobResponse
+	(*SignJwtRequest)(nil),              // 4: google.iam.credentials.v1.SignJwtRequest
+	(*SignJwtResponse)(nil),             // 5: google.iam.credentials.v1.SignJwtResponse
+	(*GenerateIdTokenRequest)(nil),      // 6: google.iam.credentials.v1.GenerateIdTokenRequest
+	(*GenerateIdTokenResponse)(nil),     // 7: google.iam.credentials.v1.GenerateIdTokenResponse
+	(*durationpb.Duration)(nil),         // 8: google.protobuf.Duration
+	(*timestamppb.Timestamp)(nil),       // 9: google.protobuf.Timestamp
+}
+var file_google_iam_credentials_v1_common_proto_depIdxs = []int32{
+	8, // 0: google.iam.credentials.v1.GenerateAccessTokenRequest.lifetime:type_name -> google.protobuf.Duration
+	9, // 1: google.iam.credentials.v1.GenerateAccessTokenResponse.expire_time:type_name -> google.protobuf.Timestamp
+	2, // [2:2] is the sub-list for method output_type
+	2, // [2:2] is the sub-list for method input_type
+	2, // [2:2] is the sub-list for extension type_name
+	2, // [2:2] is the sub-list for extension extendee
+	0, // [0:2] is the sub-list for field type_name
+}
+
+func init() { file_google_iam_credentials_v1_common_proto_init() }
+func file_google_iam_credentials_v1_common_proto_init() {
+	if File_google_iam_credentials_v1_common_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_google_iam_credentials_v1_common_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GenerateAccessTokenRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_google_iam_credentials_v1_common_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GenerateAccessTokenResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_google_iam_credentials_v1_common_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignBlobRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_google_iam_credentials_v1_common_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignBlobResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_google_iam_credentials_v1_common_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignJwtRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_google_iam_credentials_v1_common_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignJwtResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_google_iam_credentials_v1_common_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GenerateIdTokenRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_google_iam_credentials_v1_common_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GenerateIdTokenResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_google_iam_credentials_v1_common_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   8,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_google_iam_credentials_v1_common_proto_goTypes,
+		DependencyIndexes: file_google_iam_credentials_v1_common_proto_depIdxs,
+		MessageInfos:      file_google_iam_credentials_v1_common_proto_msgTypes,
+	}.Build()
+	File_google_iam_credentials_v1_common_proto = out.File
+	file_google_iam_credentials_v1_common_proto_rawDesc = nil
+	file_google_iam_credentials_v1_common_proto_goTypes = nil
+	file_google_iam_credentials_v1_common_proto_depIdxs = nil
+}

vendor/google.golang.org/genproto/googleapis/iam/credentials/v1/iamcredentials.pb.go

@@ -0,0 +1,378 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.25.0
+// 	protoc        v3.13.0
+// source: google/iam/credentials/v1/iamcredentials.proto
+
+package credentials
+
+import (
+	context "context"
+	reflect "reflect"
+
+	proto "github.com/golang/protobuf/proto"
+	_ "google.golang.org/genproto/googleapis/api/annotations"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// This is a compile-time assertion that a sufficiently up-to-date version
+// of the legacy proto package is being used.
+const _ = proto.ProtoPackageIsVersion4
+
+var File_google_iam_credentials_v1_iamcredentials_proto protoreflect.FileDescriptor
+
+var file_google_iam_credentials_v1_iamcredentials_proto_rawDesc = []byte{
+	0x0a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x69, 0x61, 0x6d, 0x2f, 0x63, 0x72, 0x65,
+	0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x69, 0x61, 0x6d, 0x63,
+	0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x12, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x69, 0x61, 0x6d, 0x2e, 0x63, 0x72, 0x65,
+	0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x76, 0x31, 0x1a, 0x1c, 0x67, 0x6f, 0x6f,
+	0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x17, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2e, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x1a, 0x26, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x69, 0x61, 0x6d, 0x2f, 0x63,
+	0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x63, 0x6f,
+	0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x32, 0xad, 0x07, 0x0a, 0x0e, 0x49,
+	0x41, 0x4d, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x12, 0xec, 0x01,
+	0x0a, 0x13, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
+	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x35, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x69,
+	0x61, 0x6d, 0x2e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x76,
+	0x31, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
+	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x36, 0x2e, 0x67,
+	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x69, 0x61, 0x6d, 0x2e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e,
+	0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
+	0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x66, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x40, 0x22, 0x3b, 0x2f, 0x76,
+	0x31, 0x2f, 0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x3d, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x73,
+	0x2f, 0x2a, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e,
+	0x74, 0x73, 0x2f, 0x2a, 0x7d, 0x3a, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x41, 0x63,
+	0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x3a, 0x01, 0x2a, 0xda, 0x41, 0x1d, 0x6e,
+	0x61, 0x6d, 0x65, 0x2c, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x73, 0x2c, 0x73, 0x63,
+	0x6f, 0x70, 0x65, 0x2c, 0x6c, 0x69, 0x66, 0x65, 0x74, 0x69, 0x6d, 0x65, 0x12, 0xe4, 0x01, 0x0a,
+	0x0f, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x49, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e,
+	0x12, 0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x69, 0x61, 0x6d, 0x2e, 0x63, 0x72,
+	0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x6e,
+	0x65, 0x72, 0x61, 0x74, 0x65, 0x49, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x1a, 0x32, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x69, 0x61, 0x6d,
+	0x2e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x76, 0x31, 0x2e,
+	0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x49, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x6a, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x3c, 0x22,
+	0x37, 0x2f, 0x76, 0x31, 0x2f, 0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x3d, 0x70, 0x72, 0x6f, 0x6a, 0x65,
+	0x63, 0x74, 0x73, 0x2f, 0x2a, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63,
+	0x6f, 0x75, 0x6e, 0x74, 0x73, 0x2f, 0x2a, 0x7d, 0x3a, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
+	0x65, 0x49, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x3a, 0x01, 0x2a, 0xda, 0x41, 0x25, 0x6e, 0x61,
+	0x6d, 0x65, 0x2c, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x73, 0x2c, 0x61, 0x75, 0x64,
+	0x69, 0x65, 0x6e, 0x63, 0x65, 0x2c, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x65, 0x6d,
+	0x61, 0x69, 0x6c, 0x12, 0xb9, 0x01, 0x0a, 0x08, 0x53, 0x69, 0x67, 0x6e, 0x42, 0x6c, 0x6f, 0x62,
+	0x12, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x69, 0x61, 0x6d, 0x2e, 0x63, 0x72,
+	0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x69, 0x67,
+	0x6e, 0x42, 0x6c, 0x6f, 0x62, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2b, 0x2e, 0x67,
+	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x69, 0x61, 0x6d, 0x2e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e,
+	0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x42, 0x6c, 0x6f,
+	0x62, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x54, 0x82, 0xd3, 0xe4, 0x93, 0x02,
+	0x35, 0x22, 0x30, 0x2f, 0x76, 0x31, 0x2f, 0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x3d, 0x70, 0x72, 0x6f,
+	0x6a, 0x65, 0x63, 0x74, 0x73, 0x2f, 0x2a, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41,
+	0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x73, 0x2f, 0x2a, 0x7d, 0x3a, 0x73, 0x69, 0x67, 0x6e, 0x42,
+	0x6c, 0x6f, 0x62, 0x3a, 0x01, 0x2a, 0xda, 0x41, 0x16, 0x6e, 0x61, 0x6d, 0x65, 0x2c, 0x64, 0x65,
+	0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x73, 0x2c, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x12,
+	0xb5, 0x01, 0x0a, 0x07, 0x53, 0x69, 0x67, 0x6e, 0x4a, 0x77, 0x74, 0x12, 0x29, 0x2e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x69, 0x61, 0x6d, 0x2e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74,
+	0x69, 0x61, 0x6c, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x4a, 0x77, 0x74, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
+	0x69, 0x61, 0x6d, 0x2e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e,
+	0x76, 0x31, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x4a, 0x77, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x22, 0x53, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x34, 0x22, 0x2f, 0x2f, 0x76, 0x31, 0x2f,
+	0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x3d, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x2f, 0x2a,
+	0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x73,
+	0x2f, 0x2a, 0x7d, 0x3a, 0x73, 0x69, 0x67, 0x6e, 0x4a, 0x77, 0x74, 0x3a, 0x01, 0x2a, 0xda, 0x41,
+	0x16, 0x6e, 0x61, 0x6d, 0x65, 0x2c, 0x64, 0x65, 0x6c, 0x65, 0x67, 0x61, 0x74, 0x65, 0x73, 0x2c,
+	0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x1a, 0x51, 0xca, 0x41, 0x1d, 0x69, 0x61, 0x6d, 0x63,
+	0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x61, 0x70, 0x69, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0xd2, 0x41, 0x2e, 0x68, 0x74, 0x74, 0x70,
+	0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x61, 0x70,
+	0x69, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x63, 0x6c, 0x6f, 0x75,
+	0x64, 0x2d, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x42, 0xa7, 0x01, 0x0a, 0x23, 0x63,
+	0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63, 0x6c, 0x6f, 0x75, 0x64, 0x2e,
+	0x69, 0x61, 0x6d, 0x2e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x2e,
+	0x76, 0x31, 0x42, 0x13, 0x49, 0x41, 0x4d, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61,
+	0x6c, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x44, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x65, 0x6e,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x61, 0x70, 0x69, 0x73,
+	0x2f, 0x69, 0x61, 0x6d, 0x2f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73,
+	0x2f, 0x76, 0x31, 0x3b, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0xf8,
+	0x01, 0x01, 0xaa, 0x02, 0x1f, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x43, 0x6c, 0x6f, 0x75,
+	0x64, 0x2e, 0x49, 0x61, 0x6d, 0x2e, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c,
+	0x73, 0x2e, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var file_google_iam_credentials_v1_iamcredentials_proto_goTypes = []interface{}{
+	(*GenerateAccessTokenRequest)(nil),  // 0: google.iam.credentials.v1.GenerateAccessTokenRequest
+	(*GenerateIdTokenRequest)(nil),      // 1: google.iam.credentials.v1.GenerateIdTokenRequest
+	(*SignBlobRequest)(nil),             // 2: google.iam.credentials.v1.SignBlobRequest
+	(*SignJwtRequest)(nil),              // 3: google.iam.credentials.v1.SignJwtRequest
+	(*GenerateAccessTokenResponse)(nil), // 4: google.iam.credentials.v1.GenerateAccessTokenResponse
+	(*GenerateIdTokenResponse)(nil),     // 5: google.iam.credentials.v1.GenerateIdTokenResponse
+	(*SignBlobResponse)(nil),            // 6: google.iam.credentials.v1.SignBlobResponse
+	(*SignJwtResponse)(nil),             // 7: google.iam.credentials.v1.SignJwtResponse
+}
+var file_google_iam_credentials_v1_iamcredentials_proto_depIdxs = []int32{
+	0, // 0: google.iam.credentials.v1.IAMCredentials.GenerateAccessToken:input_type -> google.iam.credentials.v1.GenerateAccessTokenRequest
+	1, // 1: google.iam.credentials.v1.IAMCredentials.GenerateIdToken:input_type -> google.iam.credentials.v1.GenerateIdTokenRequest
+	2, // 2: google.iam.credentials.v1.IAMCredentials.SignBlob:input_type -> google.iam.credentials.v1.SignBlobRequest
+	3, // 3: google.iam.credentials.v1.IAMCredentials.SignJwt:input_type -> google.iam.credentials.v1.SignJwtRequest
+	4, // 4: google.iam.credentials.v1.IAMCredentials.GenerateAccessToken:output_type -> google.iam.credentials.v1.GenerateAccessTokenResponse
+	5, // 5: google.iam.credentials.v1.IAMCredentials.GenerateIdToken:output_type -> google.iam.credentials.v1.GenerateIdTokenResponse
+	6, // 6: google.iam.credentials.v1.IAMCredentials.SignBlob:output_type -> google.iam.credentials.v1.SignBlobResponse
+	7, // 7: google.iam.credentials.v1.IAMCredentials.SignJwt:output_type -> google.iam.credentials.v1.SignJwtResponse
+	4, // [4:8] is the sub-list for method output_type
+	0, // [0:4] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_google_iam_credentials_v1_iamcredentials_proto_init() }
+func file_google_iam_credentials_v1_iamcredentials_proto_init() {
+	if File_google_iam_credentials_v1_iamcredentials_proto != nil {
+		return
+	}
+	file_google_iam_credentials_v1_common_proto_init()
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_google_iam_credentials_v1_iamcredentials_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   0,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_google_iam_credentials_v1_iamcredentials_proto_goTypes,
+		DependencyIndexes: file_google_iam_credentials_v1_iamcredentials_proto_depIdxs,
+	}.Build()
+	File_google_iam_credentials_v1_iamcredentials_proto = out.File
+	file_google_iam_credentials_v1_iamcredentials_proto_rawDesc = nil
+	file_google_iam_credentials_v1_iamcredentials_proto_goTypes = nil
+	file_google_iam_credentials_v1_iamcredentials_proto_depIdxs = nil
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConnInterface
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion6
+
+// IAMCredentialsClient is the client API for IAMCredentials service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
+type IAMCredentialsClient interface {
+	// Generates an OAuth 2.0 access token for a service account.
+	GenerateAccessToken(ctx context.Context, in *GenerateAccessTokenRequest, opts ...grpc.CallOption) (*GenerateAccessTokenResponse, error)
+	// Generates an OpenID Connect ID token for a service account.
+	GenerateIdToken(ctx context.Context, in *GenerateIdTokenRequest, opts ...grpc.CallOption) (*GenerateIdTokenResponse, error)
+	// Signs a blob using a service account's system-managed private key.
+	SignBlob(ctx context.Context, in *SignBlobRequest, opts ...grpc.CallOption) (*SignBlobResponse, error)
+	// Signs a JWT using a service account's system-managed private key.
+	SignJwt(ctx context.Context, in *SignJwtRequest, opts ...grpc.CallOption) (*SignJwtResponse, error)
+}
+
+type iAMCredentialsClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewIAMCredentialsClient(cc grpc.ClientConnInterface) IAMCredentialsClient {
+	return &iAMCredentialsClient{cc}
+}
+
+func (c *iAMCredentialsClient) GenerateAccessToken(ctx context.Context, in *GenerateAccessTokenRequest, opts ...grpc.CallOption) (*GenerateAccessTokenResponse, error) {
+	out := new(GenerateAccessTokenResponse)
+	err := c.cc.Invoke(ctx, "/google.iam.credentials.v1.IAMCredentials/GenerateAccessToken", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *iAMCredentialsClient) GenerateIdToken(ctx context.Context, in *GenerateIdTokenRequest, opts ...grpc.CallOption) (*GenerateIdTokenResponse, error) {
+	out := new(GenerateIdTokenResponse)
+	err := c.cc.Invoke(ctx, "/google.iam.credentials.v1.IAMCredentials/GenerateIdToken", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *iAMCredentialsClient) SignBlob(ctx context.Context, in *SignBlobRequest, opts ...grpc.CallOption) (*SignBlobResponse, error) {
+	out := new(SignBlobResponse)
+	err := c.cc.Invoke(ctx, "/google.iam.credentials.v1.IAMCredentials/SignBlob", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *iAMCredentialsClient) SignJwt(ctx context.Context, in *SignJwtRequest, opts ...grpc.CallOption) (*SignJwtResponse, error) {
+	out := new(SignJwtResponse)
+	err := c.cc.Invoke(ctx, "/google.iam.credentials.v1.IAMCredentials/SignJwt", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// IAMCredentialsServer is the server API for IAMCredentials service.
+type IAMCredentialsServer interface {
+	// Generates an OAuth 2.0 access token for a service account.
+	GenerateAccessToken(context.Context, *GenerateAccessTokenRequest) (*GenerateAccessTokenResponse, error)
+	// Generates an OpenID Connect ID token for a service account.
+	GenerateIdToken(context.Context, *GenerateIdTokenRequest) (*GenerateIdTokenResponse, error)
+	// Signs a blob using a service account's system-managed private key.
+	SignBlob(context.Context, *SignBlobRequest) (*SignBlobResponse, error)
+	// Signs a JWT using a service account's system-managed private key.
+	SignJwt(context.Context, *SignJwtRequest) (*SignJwtResponse, error)
+}
+
+// UnimplementedIAMCredentialsServer can be embedded to have forward compatible implementations.
+type UnimplementedIAMCredentialsServer struct {
+}
+
+func (*UnimplementedIAMCredentialsServer) GenerateAccessToken(context.Context, *GenerateAccessTokenRequest) (*GenerateAccessTokenResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GenerateAccessToken not implemented")
+}
+func (*UnimplementedIAMCredentialsServer) GenerateIdToken(context.Context, *GenerateIdTokenRequest) (*GenerateIdTokenResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GenerateIdToken not implemented")
+}
+func (*UnimplementedIAMCredentialsServer) SignBlob(context.Context, *SignBlobRequest) (*SignBlobResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SignBlob not implemented")
+}
+func (*UnimplementedIAMCredentialsServer) SignJwt(context.Context, *SignJwtRequest) (*SignJwtResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SignJwt not implemented")
+}
+
+func RegisterIAMCredentialsServer(s *grpc.Server, srv IAMCredentialsServer) {
+	s.RegisterService(&_IAMCredentials_serviceDesc, srv)
+}
+
+func _IAMCredentials_GenerateAccessToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GenerateAccessTokenRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(IAMCredentialsServer).GenerateAccessToken(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.iam.credentials.v1.IAMCredentials/GenerateAccessToken",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(IAMCredentialsServer).GenerateAccessToken(ctx, req.(*GenerateAccessTokenRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _IAMCredentials_GenerateIdToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GenerateIdTokenRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(IAMCredentialsServer).GenerateIdToken(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.iam.credentials.v1.IAMCredentials/GenerateIdToken",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(IAMCredentialsServer).GenerateIdToken(ctx, req.(*GenerateIdTokenRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _IAMCredentials_SignBlob_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SignBlobRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(IAMCredentialsServer).SignBlob(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.iam.credentials.v1.IAMCredentials/SignBlob",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(IAMCredentialsServer).SignBlob(ctx, req.(*SignBlobRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _IAMCredentials_SignJwt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SignJwtRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(IAMCredentialsServer).SignJwt(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/google.iam.credentials.v1.IAMCredentials/SignJwt",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(IAMCredentialsServer).SignJwt(ctx, req.(*SignJwtRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _IAMCredentials_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "google.iam.credentials.v1.IAMCredentials",
+	HandlerType: (*IAMCredentialsServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "GenerateAccessToken",
+			Handler:    _IAMCredentials_GenerateAccessToken_Handler,
+		},
+		{
+			MethodName: "GenerateIdToken",
+			Handler:    _IAMCredentials_GenerateIdToken_Handler,
+		},
+		{
+			MethodName: "SignBlob",
+			Handler:    _IAMCredentials_SignBlob_Handler,
+		},
+		{
+			MethodName: "SignJwt",
+			Handler:    _IAMCredentials_SignJwt_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "google/iam/credentials/v1/iamcredentials.proto",
+}

vendor/honnef.co/go/tools/pattern/match.go

@@ -242,6 +242,28 @@ func match(m *Matcher, l, r interface{}) (interface{}, bool) {
 		}
 	}
 
+	{
+		ln, ok1 := l.([]*ast.Field)
+		rn, ok2 := r.([]*ast.Field)
+		if ok1 || ok2 {
+			if ok1 && !ok2 {
+				rn = []*ast.Field{r.(*ast.Field)}
+			} else if !ok1 && ok2 {
+				ln = []*ast.Field{l.(*ast.Field)}
+			}
+
+			if len(ln) != len(rn) {
+				return nil, false
+			}
+			for i, ll := range ln {
+				if _, ok := match(m, ll, rn[i]); !ok {
+					return nil, false
+				}
+			}
+			return r, true
+		}
+	}
+
 	panic(fmt.Sprintf("unsupported comparison: %T and %T", l, r))
 }
 

vendor/honnef.co/go/tools/staticcheck/lint.go

@@ -1721,6 +1721,10 @@ func CheckUnreadVariableValues(pass *analysis.Pass) (interface{}, error) {
 					continue
 				}
 
+				if _, ok := val.(*ir.Const); ok {
+					// a zero-valued constant, for example in 'foo := []string(nil)'
+					continue
+				}
 				if !hasUse(val, nil) {
 					report.Report(pass, assign, fmt.Sprintf("this value of %s is never used", lhs))
 				}

vendor/honnef.co/go/tools/version/version.go

@@ -7,7 +7,7 @@ import (
 	"runtime"
 )
 
-const Version = "2020.1.4"
+const Version = "2020.1.5"
 
 // version returns a version descriptor and reports whether the
 // version is a known release.

vendor/modules.txt

@@ -3,6 +3,7 @@
 cloud.google.com/go
 cloud.google.com/go/compute/metadata
 cloud.google.com/go/iam
+cloud.google.com/go/iam/credentials/apiv1
 cloud.google.com/go/internal
 cloud.google.com/go/internal/btree
 cloud.google.com/go/internal/fields
@@ -688,6 +689,7 @@ google.golang.org/appengine/urlfetch
 google.golang.org/genproto/googleapis/api/annotations
 google.golang.org/genproto/googleapis/firestore/admin/v1
 google.golang.org/genproto/googleapis/firestore/v1
+google.golang.org/genproto/googleapis/iam/credentials/v1
 google.golang.org/genproto/googleapis/iam/v1
 google.golang.org/genproto/googleapis/longrunning
 google.golang.org/genproto/googleapis/rpc/code
@@ -815,7 +817,8 @@ gopkg.in/yaml.v2
 # gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 ## explicit
 gopkg.in/yaml.v3
-# honnef.co/go/tools v0.0.1-2020.1.4
+# honnef.co/go/tools v0.0.1-2020.1.5
+## explicit
 honnef.co/go/tools/arg
 honnef.co/go/tools/cmd/staticcheck
 honnef.co/go/tools/code