-
Notifications
You must be signed in to change notification settings - Fork 384
/
idTokenFromImpersonatedCredentials.js
80 lines (70 loc) · 3.36 KB
/
idTokenFromImpersonatedCredentials.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
/**
* Uses a service account (SA1) to impersonate as another service account (SA2) and obtain id token for the impersonated account.
* To obtain token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission on SA2.
*
* @param {string} scope - The scope that you might need to request to access Google APIs,
* depending on the level of access you need. For this example, we use the cloud-wide scope
* and use IAM to narrow the permissions: https://cloud.google.com/docs/authentication#authorization_for_services.
* For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes.
* @param {string} targetAudience - The service name for which the id token is requested. Service name refers to the
* logical identifier of an API service, such as "http://www.example.com".
* @param {string} impersonatedServiceAccount - The name of the privilege-bearing service account for whom
* the credential is created.
*/
function main(scope, targetAudience, impersonatedServiceAccount) {
// [START auth_cloud_idtoken_impersonated_credentials]
/**
* TODO(developer):
* 1. Uncomment and replace these variables before running the sample.
*/
// const scope = 'https://www.googleapis.com/auth/cloud-platform';
// const targetAudience = 'http://www.example.com';
// const impersonatedServiceAccount = 'name@project.service.gserviceaccount.com';
const {GoogleAuth, Impersonated} = require('google-auth-library');
async function getIdTokenFromImpersonatedCredentials() {
const googleAuth = new GoogleAuth();
// Construct the GoogleCredentials object which obtains the default configuration from your
// working environment.
const {credential} = await googleAuth.getApplicationDefault();
// delegates: The chained list of delegates required to grant the final accessToken.
// For more information, see:
// https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions
// Delegate is NOT USED here.
const delegates = [];
// Create the impersonated credential.
const impersonatedCredentials = new Impersonated({
sourceClient: credential,
delegates,
targetPrincipal: impersonatedServiceAccount,
targetScopes: [scope],
lifetime: 300,
});
// Get the ID token.
// Once you've obtained the ID token, you can use it to make an authenticated call
// to the target audience.
await impersonatedCredentials.fetchIdToken(targetAudience, {
includeEmail: true,
});
console.log('Generated ID token.');
}
getIdTokenFromImpersonatedCredentials();
// [END auth_cloud_idtoken_impersonated_credentials]
}
process.on('unhandledRejection', err => {
console.error(err.message);
process.exitCode = 1;
});
main(...process.argv.slice(2));