in pkg/sts/sts.go [128:164]
func (s *STS) GetRequestMetadata(ctx context.Context, aud ...string) (map[string]string, error) {
// The K8S-signed JWT
kt, err := s.kr.GetToken(ctx, s.kr.TrustDomain)
if err != nil {
return nil, err
}
// Federated token - a google token equivalent with the k8s JWT, using STS
ft, err := s.TokenFederated(ctx, kt)
if err != nil {
return nil, err
}
a0 := ""
if len(aud) > 0 {
a0 = aud[0]
}
if len(aud) > 1 {
return nil, errors.New("Single audience supporte")
}
// TODO: better way to determine if the destination supports federated token directly.
if !s.MDPSA && strings.Contains(a0, "googleapis.com/") {
return map[string]string{
"authorization": "Bearer " + ft,
}, nil
}
token, err := s.TokenAccess(ctx, ft, a0)
if err != nil {
return nil, err
}
return map[string]string{
"authorization": "Bearer " + token,
}, nil
}