ydb-platform · Gazizonoki · Feb 24, 2025 · Feb 24, 2025 · Feb 24, 2025 · Feb 24, 2025
diff --git a/include/ydb-cpp-sdk/client/CMakeLists.txt b/include/ydb-cpp-sdk/client/CMakeLists.txt
@@ -1 +1,2 @@
 add_subdirectory(iam/common)
+add_subdirectory(iam_private/common)
diff --git a/include/ydb-cpp-sdk/client/iam_private/common/CMakeLists.txt b/include/ydb-cpp-sdk/client/iam_private/common/CMakeLists.txt
@@ -0,0 +1,8 @@
+_ydb_sdk_add_library(client-iam_private-types INTERFACE)
+
+target_link_libraries(client-iam_private-types
+  INTERFACE
+    client-iam-types
+)
+
+_ydb_sdk_install_targets(client-iam_private-types)
diff --git a/include/ydb-cpp-sdk/client/iam_private/common/types.h b/include/ydb-cpp-sdk/client/iam_private/common/types.h
@@ -0,0 +1,15 @@
+#pragma once
+
+#include <ydb-cpp-sdk/client/iam/common/types.h>
+
+namespace NYdb::inline V3 {
+
+struct TIamServiceParams : TIamEndpoint {
+    std::string ServiceId;
+    std::string MicroserviceId;
+    std::string ResourceId;
+    std::string ResourceType;
+    std::string TargetServiceAccountId;
+};
+
+}
diff --git a/include/ydb-cpp-sdk/client/iam_private/iam.h b/include/ydb-cpp-sdk/client/iam_private/iam.h
@@ -1,5 +1,7 @@
 #pragma once
 
+#include "common/types.h"
+
 #include <ydb-cpp-sdk/client/iam/common/types.h>
 
 namespace NYdb::inline V3 {
@@ -10,4 +12,7 @@ TCredentialsProviderFactoryPtr CreateIamJwtFileCredentialsProviderFactoryPrivate
 /// Acquire an IAM token using JSON Web Token (JWT) contents.
 TCredentialsProviderFactoryPtr CreateIamJwtParamsCredentialsProviderFactoryPrivate(const TIamJwtContent& param);
 
+/// Acquire an IAM token for system service account (SSA).
+TCredentialsProviderFactoryPtr CreateIamServiceCredentialsProviderFactory(const TIamServiceParams& params);
+
 } // namespace NYdb
diff --git a/src/api/client/yc_private/iam/iam_token_service.proto b/src/api/client/yc_private/iam/iam_token_service.proto
@@ -18,6 +18,9 @@ service IamTokenService {
   // create iam token for service account
   rpc CreateForServiceAccount (CreateIamTokenForServiceAccountRequest) returns (CreateIamTokenResponse);
 
+  // create iam token for service
+  rpc CreateForService (CreateIamTokenForServiceRequest) returns (CreateIamTokenResponse);
+
   // create iam token for compute instance
   rpc CreateForComputeInstance (CreateIamTokenForComputeInstanceRequest) returns (CreateIamTokenResponse);
 
@@ -50,6 +53,14 @@ message CreateIamTokenForServiceAccountRequest {
   string service_account_id = 1;
 }
 
+message CreateIamTokenForServiceRequest {
+  string service_id = 1;
+  string microservice_id = 2;
+  string resource_id = 3;
+  string resource_type = 4;
+  string target_service_account_id = 5;
+}
+
 message CreateIamTokenForComputeInstanceRequest {
   string service_account_id = 1;
   string instance_id = 2;

diff --git a/src/client/iam/common/iam.h b/src/client/iam/common/iam.h
@@ -19,12 +19,19 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
 protected:
     using TRequestFiller = std::function<void(TRequest&)>;
 
+    using TSimpleRpc =
+        typename NYdbGrpc::TSimpleRequestProcessor<
+            typename TService::Stub,
+            TRequest,
+            TResponse>::TAsyncRequest;
+
 private:
     class TImpl : public std::enable_shared_from_this<TGrpcIamCredentialsProvider<TRequest, TResponse, TService>::TImpl> {
     public:
-        TImpl(const TIamEndpoint& iamEndpoint, const TRequestFiller& requestFiller)
+        TImpl(const TIamEndpoint& iamEndpoint, const TRequestFiller& requestFiller, TSimpleRpc rpc)
             : Client(std::make_unique<NYdbGrpc::TGRpcClientLow>())
             , Connection_(nullptr)
+            , Rpc_(rpc)
             , Ticket_("")
             , NextTicketUpdate_(TInstant::Zero())
             , IamEndpoint_(iamEndpoint)
@@ -67,7 +74,7 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
             Connection_->template DoRequest<TRequest, TResponse>(
                 std::move(req),
                 std::move(cb),
-                &TService::Stub::AsyncCreate,
+                Rpc_,
                 { {}, {}, IamEndpoint_.RequestTimeout }
             );
 
@@ -142,9 +149,9 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
         }
 
     private:
-
         std::unique_ptr<NYdbGrpc::TGRpcClientLow> Client;
         std::unique_ptr<NYdbGrpc::TServiceConnection<TService>> Connection_;
+        TSimpleRpc Rpc_;
         std::string Ticket_;
         TInstant NextTicketUpdate_;
         const TIamEndpoint IamEndpoint_;
@@ -157,8 +164,8 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
     };
 
 public:
-    TGrpcIamCredentialsProvider(const TIamEndpoint& endpoint, const TRequestFiller& requestFiller)
-        : Impl_(std::make_shared<TImpl>(endpoint, requestFiller))
+    TGrpcIamCredentialsProvider(const TIamEndpoint& endpoint, const TRequestFiller& requestFiller, TSimpleRpc rpc)
+        : Impl_(std::make_shared<TImpl>(endpoint, requestFiller, rpc))
     {
         Impl_->UpdateTicket(true);
     }
@@ -186,7 +193,7 @@ class TIamJwtCredentialsProvider : public TGrpcIamCredentialsProvider<TRequest,
         : TGrpcIamCredentialsProvider<TRequest, TResponse, TService>(params,
             [jwtParams = params.JwtParams](TRequest& req) {
                 req.set_jwt(MakeSignedJwt(jwtParams));
-            }) {}
+            }, &TService::Stub::AsyncCreate) {}
 };
 
 template<typename TRequest, typename TResponse, typename TService>
@@ -196,7 +203,7 @@ class TIamOAuthCredentialsProvider : public TGrpcIamCredentialsProvider<TRequest
         : TGrpcIamCredentialsProvider<TRequest, TResponse, TService>(params,
             [token = params.OAuthToken](TRequest& req) {
                 req.set_yandex_passport_oauth_token(TStringType{token});
-            }) {}
+            }, &TService::Stub::AsyncCreate) {}
 };
 
 template<typename TRequest, typename TResponse, typename TService>

diff --git a/src/client/iam_private/CMakeLists.txt b/src/client/iam_private/CMakeLists.txt
@@ -1,3 +1,5 @@
+add_subdirectory(common)
+
 _ydb_sdk_add_library(client-iam_private)
 
 target_link_libraries(client-iam_private
@@ -6,7 +8,7 @@ target_link_libraries(client-iam_private
     yutil
   PRIVATE
     api-client-yc_private
-    client-iam-common
+    client-iam_private-common
 )
 
 target_sources(client-iam_private

diff --git a/src/client/iam_private/common/CMakeLists.txt b/src/client/iam_private/common/CMakeLists.txt
@@ -0,0 +1,9 @@
+_ydb_sdk_add_library(client-iam_private-common INTERFACE)
+
+target_link_libraries(client-iam_private-common
+  INTERFACE
+    client-iam-common
+    client-iam_private-types
+)
+
+_ydb_sdk_install_targets(client-iam_private-common)
diff --git a/src/client/iam_private/common/iam.h b/src/client/iam_private/common/iam.h
@@ -0,0 +1,28 @@
+#include <ydb-cpp-sdk/client/iam_private/common/types.h>
+
+#include <src/client/iam/common/iam.h>
+
+namespace NYdb::inline V3 {
+
+template<typename TRequest, typename TResponse, typename TService>
+
+class TIamServiceCredentialsProviderFactory : public ICredentialsProviderFactory {
+public:
+    TIamServiceCredentialsProviderFactory(const TIamServiceParams& params) : Params_(params) {}
+
+    TCredentialsProviderPtr CreateProvider() const final {
+        return std::make_shared<TGrpcIamCredentialsProvider<TRequest, TResponse, TService>>(Params_,
+                    [params = Params_](TRequest& req) {
+                        req.set_service_id(params.ServiceId);
+                        req.set_microservice_id(params.MicroserviceId);
+                        req.set_resource_id(params.ResourceId);
+                        req.set_resource_type(params.ResourceType);
+                        req.set_target_service_account_id(params.TargetServiceAccountId);
+                    }, &TService::Stub::AsyncCreateForService);
+    }
+
+private:
+    TIamServiceParams Params_;
+};
+
+}
diff --git a/src/client/iam_private/iam.cpp b/src/client/iam_private/iam.cpp
@@ -1,17 +1,19 @@
-#include <ydb-cpp-sdk/client/iam_private/iam.h>
+#include "common/iam.h"
 
-#include <src/client/iam/common/iam.h>
+#include <ydb-cpp-sdk/client/iam_private/iam.h>
 
 #include <src/api/client/yc_private/iam/iam_token_service.pb.h>
 #include <src/api/client/yc_private/iam/iam_token_service.grpc.pb.h>
 
+using namespace yandex::cloud::priv::iam::v1;
+
 namespace NYdb::inline V3 {
 
 TCredentialsProviderFactoryPtr CreateIamJwtCredentialsProviderFactoryImplPrivate(TIamJwtParams&& jwtParams) {
     return std::make_shared<TIamJwtCredentialsProviderFactory<
-                    yandex::cloud::priv::iam::v1::CreateIamTokenRequest,
-                    yandex::cloud::priv::iam::v1::CreateIamTokenResponse,
-                    yandex::cloud::priv::iam::v1::IamTokenService
+                    CreateIamTokenRequest,
+                    CreateIamTokenResponse,
+                    IamTokenService
                 >>(std::move(jwtParams));
 }
 
@@ -25,4 +27,12 @@ TCredentialsProviderFactoryPtr CreateIamJwtParamsCredentialsProviderFactoryPriva
     return CreateIamJwtCredentialsProviderFactoryImplPrivate(std::move(jwtParams));
 }
 
+TCredentialsProviderFactoryPtr CreateIamServiceCredentialsProviderFactory(const TIamServiceParams& params) {
+    return std::make_shared<TIamServiceCredentialsProviderFactory<
+                    CreateIamTokenForServiceRequest,
+                    CreateIamTokenResponse,
+                    IamTokenService
+                >>(std::move(params));
+}
+
 }
diff --git a/src/client/resources/ydb_sdk_version.txt b/src/client/resources/ydb_sdk_version.txt
@@ -1 +1 @@
-3.1.0
+3.2.0
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		add_subdirectory(iam/common)
		add_subdirectory(iam_private/common)