alien_core/bindings/
service_account.rs

1//! ServiceAccount binding definitions for identity management and impersonation
2//!
3//! This module defines the binding parameters for service account access:
4//! - AWS IAM Roles (using role ARN for AssumeRole)
5//! - GCP Service Accounts (using service account email for token generation)
6//! - Azure User-Assigned Managed Identities (using client ID and resource ID)
7
8use super::BindingValue;
9use serde::{Deserialize, Serialize};
10
11/// Represents a service account binding for identity management and impersonation
12#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
13#[serde(tag = "service", rename_all = "lowercase")]
14pub enum ServiceAccountBinding {
15    /// AWS IAM Role binding
16    AwsIam(AwsServiceAccountBinding),
17    /// GCP Service Account binding
18    GcpServiceAccount(GcpServiceAccountBinding),
19    /// Azure User-Assigned Managed Identity binding
20    AzureManagedIdentity(AzureServiceAccountBinding),
21}
22
23/// AWS IAM Role service account binding configuration
24#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
25#[serde(rename_all = "camelCase")]
26pub struct AwsServiceAccountBinding {
27    /// The IAM role name
28    pub role_name: BindingValue<String>,
29    /// The IAM role ARN (for AssumeRole)
30    pub role_arn: BindingValue<String>,
31}
32
33/// GCP Service Account binding configuration
34#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
35#[serde(rename_all = "camelCase")]
36pub struct GcpServiceAccountBinding {
37    /// The service account email (for impersonation)
38    pub email: BindingValue<String>,
39    /// The service account unique ID
40    pub unique_id: BindingValue<String>,
41}
42
43/// Azure User-Assigned Managed Identity binding configuration
44#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
45#[serde(rename_all = "camelCase")]
46pub struct AzureServiceAccountBinding {
47    /// The managed identity client ID (for authentication)
48    pub client_id: BindingValue<String>,
49    /// The managed identity resource ID (ARM ID)
50    pub resource_id: BindingValue<String>,
51    /// The managed identity principal ID
52    pub principal_id: BindingValue<String>,
53}
54
55impl ServiceAccountBinding {
56    /// Creates an AWS IAM Role service account binding
57    pub fn aws_iam(
58        role_name: impl Into<BindingValue<String>>,
59        role_arn: impl Into<BindingValue<String>>,
60    ) -> Self {
61        Self::AwsIam(AwsServiceAccountBinding {
62            role_name: role_name.into(),
63            role_arn: role_arn.into(),
64        })
65    }
66
67    /// Creates a GCP Service Account binding
68    pub fn gcp_service_account(
69        email: impl Into<BindingValue<String>>,
70        unique_id: impl Into<BindingValue<String>>,
71    ) -> Self {
72        Self::GcpServiceAccount(GcpServiceAccountBinding {
73            email: email.into(),
74            unique_id: unique_id.into(),
75        })
76    }
77
78    /// Creates an Azure User-Assigned Managed Identity binding
79    pub fn azure_managed_identity(
80        client_id: impl Into<BindingValue<String>>,
81        resource_id: impl Into<BindingValue<String>>,
82        principal_id: impl Into<BindingValue<String>>,
83    ) -> Self {
84        Self::AzureManagedIdentity(AzureServiceAccountBinding {
85            client_id: client_id.into(),
86            resource_id: resource_id.into(),
87            principal_id: principal_id.into(),
88        })
89    }
90}
alien_core/bindings/service_account.rs

alien_core/bindings/
service_account.rs
