@google-cloud/iam-credentials
Version:
Credentials client for Node.js
298 lines (297 loc) • 18.1 kB
TypeScript
import type * as gax from 'google-gax';
import type { Callback, CallOptions, Descriptors, ClientOptions } from 'google-gax';
import * as protos from '../../protos/protos';
/**
* A service account is a special type of Google account that belongs to your
* application or a virtual machine (VM), instead of to an individual end user.
* Your application assumes the identity of the service account to call Google
* APIs, so that the users aren't directly involved.
*
* Service account credentials are used to temporarily assume the identity
* of the service account. Supported credential types include OAuth 2.0 access
* tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and
* more.
* @class
* @memberof v1
*/
export declare class IAMCredentialsClient {
private _terminated;
private _opts;
private _providedCustomServicePath;
private _gaxModule;
private _gaxGrpc;
private _protos;
private _defaults;
private _universeDomain;
private _servicePath;
private _log;
auth: gax.GoogleAuth;
descriptors: Descriptors;
warn: (code: string, message: string, warnType?: string) => void;
innerApiCalls: {
[name: string]: Function;
};
iAMCredentialsStub?: Promise<{
[name: string]: Function;
}>;
/**
* Construct an instance of IAMCredentialsClient.
*
* @param {object} [options] - The configuration object.
* The options accepted by the constructor are described in detail
* in [this document](https://github.com/googleapis/gax-nodejs/blob/main/client-libraries.md#creating-the-client-instance).
* The common options are:
* @param {object} [options.credentials] - Credentials object.
* @param {string} [options.credentials.client_email]
* @param {string} [options.credentials.private_key]
* @param {string} [options.email] - Account email address. Required when
* using a .pem or .p12 keyFilename.
* @param {string} [options.keyFilename] - Full path to the a .json, .pem, or
* .p12 key downloaded from the Google Developers Console. If you provide
* a path to a JSON file, the projectId option below is not necessary.
* NOTE: .pem and .p12 require you to specify options.email as well.
* @param {number} [options.port] - The port on which to connect to
* the remote host.
* @param {string} [options.projectId] - The project ID from the Google
* Developer's Console, e.g. 'grape-spaceship-123'. We will also check
* the environment variable GCLOUD_PROJECT for your project ID. If your
* app is running in an environment which supports
* {@link https://cloud.google.com/docs/authentication/application-default-credentials Application Default Credentials},
* your project ID will be detected automatically.
* @param {string} [options.apiEndpoint] - The domain name of the
* API remote host.
* @param {gax.ClientConfig} [options.clientConfig] - Client configuration override.
* Follows the structure of {@link gapicConfig}.
* @param {boolean} [options.fallback] - Use HTTP/1.1 REST mode.
* For more information, please check the
* {@link https://github.com/googleapis/gax-nodejs/blob/main/client-libraries.md#http11-rest-api-mode documentation}.
* @param {gax} [gaxInstance]: loaded instance of `google-gax`. Useful if you
* need to avoid loading the default gRPC version and want to use the fallback
* HTTP implementation. Load only fallback version and pass it to the constructor:
* ```
* const gax = require('google-gax/build/src/fallback'); // avoids loading google-gax with gRPC
* const client = new IAMCredentialsClient({fallback: true}, gax);
* ```
*/
constructor(opts?: ClientOptions, gaxInstance?: typeof gax | typeof gax.fallback);
/**
* Initialize the client.
* Performs asynchronous operations (such as authentication) and prepares the client.
* This function will be called automatically when any class method is called for the
* first time, but if you need to initialize it before calling an actual method,
* feel free to call initialize() directly.
*
* You can await on this method if you want to make sure the client is initialized.
*
* @returns {Promise} A promise that resolves to an authenticated service stub.
*/
initialize(): Promise<{
[name: string]: Function;
}>;
/**
* The DNS address for this API service.
* @deprecated Use the apiEndpoint method of the client instance.
* @returns {string} The DNS address for this service.
*/
static get servicePath(): string;
/**
* The DNS address for this API service - same as servicePath.
* @deprecated Use the apiEndpoint method of the client instance.
* @returns {string} The DNS address for this service.
*/
static get apiEndpoint(): string;
/**
* The DNS address for this API service.
* @returns {string} The DNS address for this service.
*/
get apiEndpoint(): string;
get universeDomain(): string;
/**
* The port for this API service.
* @returns {number} The default port for this service.
*/
static get port(): number;
/**
* The scopes needed to make gRPC calls for every method defined
* in this service.
* @returns {string[]} List of default scopes.
*/
static get scopes(): string[];
getProjectId(): Promise<string>;
getProjectId(callback: Callback<string, undefined, undefined>): void;
/**
* Generates an OAuth 2.0 access token for a service account.
*
* @param {Object} request
* The request object that will be sent.
* @param {string} request.name
* Required. The resource name of the service account for which the credentials
* are requested, in the following format:
* `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
* character is required; replacing it with a project ID is invalid.
* @param {string[]} request.delegates
* The sequence of service accounts in a delegation chain. Each service
* account must be granted the `roles/iam.serviceAccountTokenCreator` role
* on its next service account in the chain. The last service account in the
* chain must be granted the `roles/iam.serviceAccountTokenCreator` role
* on the service account that is specified in the `name` field of the
* request.
*
* The delegates must have the following format:
* `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
* character is required; replacing it with a project ID is invalid.
* @param {string[]} request.scope
* Required. Code to identify the scopes to be included in the OAuth 2.0 access token.
* See https://developers.google.com/identity/protocols/googlescopes for more
* information.
* At least one value required.
* @param {google.protobuf.Duration} request.lifetime
* The desired lifetime duration of the access token in seconds.
* Must be set to a value less than or equal to 3600 (1 hour). If a value is
* not specified, the token's lifetime will be set to a default value of one
* hour.
* @param {object} [options]
* Call options. See {@link https://googleapis.dev/nodejs/google-gax/latest/interfaces/CallOptions.html|CallOptions} for more details.
* @returns {Promise} - The promise which resolves to an array.
* The first element of the array is an object representing {@link protos.google.iam.credentials.v1.GenerateAccessTokenResponse|GenerateAccessTokenResponse}.
* Please see the {@link https://github.com/googleapis/gax-nodejs/blob/master/client-libraries.md#regular-methods | documentation }
* for more details and examples.
* @example <caption>include:samples/generated/v1/i_a_m_credentials.generate_access_token.js</caption>
* region_tag:iamcredentials_v1_generated_IAMCredentials_GenerateAccessToken_async
*/
generateAccessToken(request?: protos.google.iam.credentials.v1.IGenerateAccessTokenRequest, options?: CallOptions): Promise<[
protos.google.iam.credentials.v1.IGenerateAccessTokenResponse,
protos.google.iam.credentials.v1.IGenerateAccessTokenRequest | undefined,
{} | undefined
]>;
generateAccessToken(request: protos.google.iam.credentials.v1.IGenerateAccessTokenRequest, options: CallOptions, callback: Callback<protos.google.iam.credentials.v1.IGenerateAccessTokenResponse, protos.google.iam.credentials.v1.IGenerateAccessTokenRequest | null | undefined, {} | null | undefined>): void;
generateAccessToken(request: protos.google.iam.credentials.v1.IGenerateAccessTokenRequest, callback: Callback<protos.google.iam.credentials.v1.IGenerateAccessTokenResponse, protos.google.iam.credentials.v1.IGenerateAccessTokenRequest | null | undefined, {} | null | undefined>): void;
/**
* Generates an OpenID Connect ID token for a service account.
*
* @param {Object} request
* The request object that will be sent.
* @param {string} request.name
* Required. The resource name of the service account for which the credentials
* are requested, in the following format:
* `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
* character is required; replacing it with a project ID is invalid.
* @param {string[]} request.delegates
* The sequence of service accounts in a delegation chain. Each service
* account must be granted the `roles/iam.serviceAccountTokenCreator` role
* on its next service account in the chain. The last service account in the
* chain must be granted the `roles/iam.serviceAccountTokenCreator` role
* on the service account that is specified in the `name` field of the
* request.
*
* The delegates must have the following format:
* `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
* character is required; replacing it with a project ID is invalid.
* @param {string} request.audience
* Required. The audience for the token, such as the API or account that this token
* grants access to.
* @param {boolean} request.includeEmail
* Include the service account email in the token. If set to `true`, the
* token will contain `email` and `email_verified` claims.
* @param {object} [options]
* Call options. See {@link https://googleapis.dev/nodejs/google-gax/latest/interfaces/CallOptions.html|CallOptions} for more details.
* @returns {Promise} - The promise which resolves to an array.
* The first element of the array is an object representing {@link protos.google.iam.credentials.v1.GenerateIdTokenResponse|GenerateIdTokenResponse}.
* Please see the {@link https://github.com/googleapis/gax-nodejs/blob/master/client-libraries.md#regular-methods | documentation }
* for more details and examples.
* @example <caption>include:samples/generated/v1/i_a_m_credentials.generate_id_token.js</caption>
* region_tag:iamcredentials_v1_generated_IAMCredentials_GenerateIdToken_async
*/
generateIdToken(request?: protos.google.iam.credentials.v1.IGenerateIdTokenRequest, options?: CallOptions): Promise<[
protos.google.iam.credentials.v1.IGenerateIdTokenResponse,
protos.google.iam.credentials.v1.IGenerateIdTokenRequest | undefined,
{} | undefined
]>;
generateIdToken(request: protos.google.iam.credentials.v1.IGenerateIdTokenRequest, options: CallOptions, callback: Callback<protos.google.iam.credentials.v1.IGenerateIdTokenResponse, protos.google.iam.credentials.v1.IGenerateIdTokenRequest | null | undefined, {} | null | undefined>): void;
generateIdToken(request: protos.google.iam.credentials.v1.IGenerateIdTokenRequest, callback: Callback<protos.google.iam.credentials.v1.IGenerateIdTokenResponse, protos.google.iam.credentials.v1.IGenerateIdTokenRequest | null | undefined, {} | null | undefined>): void;
/**
* Signs a blob using a service account's system-managed private key.
*
* @param {Object} request
* The request object that will be sent.
* @param {string} request.name
* Required. The resource name of the service account for which the credentials
* are requested, in the following format:
* `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
* character is required; replacing it with a project ID is invalid.
* @param {string[]} request.delegates
* The sequence of service accounts in a delegation chain. Each service
* account must be granted the `roles/iam.serviceAccountTokenCreator` role
* on its next service account in the chain. The last service account in the
* chain must be granted the `roles/iam.serviceAccountTokenCreator` role
* on the service account that is specified in the `name` field of the
* request.
*
* The delegates must have the following format:
* `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
* character is required; replacing it with a project ID is invalid.
* @param {Buffer} request.payload
* Required. The bytes to sign.
* @param {object} [options]
* Call options. See {@link https://googleapis.dev/nodejs/google-gax/latest/interfaces/CallOptions.html|CallOptions} for more details.
* @returns {Promise} - The promise which resolves to an array.
* The first element of the array is an object representing {@link protos.google.iam.credentials.v1.SignBlobResponse|SignBlobResponse}.
* Please see the {@link https://github.com/googleapis/gax-nodejs/blob/master/client-libraries.md#regular-methods | documentation }
* for more details and examples.
* @example <caption>include:samples/generated/v1/i_a_m_credentials.sign_blob.js</caption>
* region_tag:iamcredentials_v1_generated_IAMCredentials_SignBlob_async
*/
signBlob(request?: protos.google.iam.credentials.v1.ISignBlobRequest, options?: CallOptions): Promise<[
protos.google.iam.credentials.v1.ISignBlobResponse,
protos.google.iam.credentials.v1.ISignBlobRequest | undefined,
{} | undefined
]>;
signBlob(request: protos.google.iam.credentials.v1.ISignBlobRequest, options: CallOptions, callback: Callback<protos.google.iam.credentials.v1.ISignBlobResponse, protos.google.iam.credentials.v1.ISignBlobRequest | null | undefined, {} | null | undefined>): void;
signBlob(request: protos.google.iam.credentials.v1.ISignBlobRequest, callback: Callback<protos.google.iam.credentials.v1.ISignBlobResponse, protos.google.iam.credentials.v1.ISignBlobRequest | null | undefined, {} | null | undefined>): void;
/**
* Signs a JWT using a service account's system-managed private key.
*
* @param {Object} request
* The request object that will be sent.
* @param {string} request.name
* Required. The resource name of the service account for which the credentials
* are requested, in the following format:
* `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
* character is required; replacing it with a project ID is invalid.
* @param {string[]} request.delegates
* The sequence of service accounts in a delegation chain. Each service
* account must be granted the `roles/iam.serviceAccountTokenCreator` role
* on its next service account in the chain. The last service account in the
* chain must be granted the `roles/iam.serviceAccountTokenCreator` role
* on the service account that is specified in the `name` field of the
* request.
*
* The delegates must have the following format:
* `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
* character is required; replacing it with a project ID is invalid.
* @param {string} request.payload
* Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
* @param {object} [options]
* Call options. See {@link https://googleapis.dev/nodejs/google-gax/latest/interfaces/CallOptions.html|CallOptions} for more details.
* @returns {Promise} - The promise which resolves to an array.
* The first element of the array is an object representing {@link protos.google.iam.credentials.v1.SignJwtResponse|SignJwtResponse}.
* Please see the {@link https://github.com/googleapis/gax-nodejs/blob/master/client-libraries.md#regular-methods | documentation }
* for more details and examples.
* @example <caption>include:samples/generated/v1/i_a_m_credentials.sign_jwt.js</caption>
* region_tag:iamcredentials_v1_generated_IAMCredentials_SignJwt_async
*/
signJwt(request?: protos.google.iam.credentials.v1.ISignJwtRequest, options?: CallOptions): Promise<[
protos.google.iam.credentials.v1.ISignJwtResponse,
protos.google.iam.credentials.v1.ISignJwtRequest | undefined,
{} | undefined
]>;
signJwt(request: protos.google.iam.credentials.v1.ISignJwtRequest, options: CallOptions, callback: Callback<protos.google.iam.credentials.v1.ISignJwtResponse, protos.google.iam.credentials.v1.ISignJwtRequest | null | undefined, {} | null | undefined>): void;
signJwt(request: protos.google.iam.credentials.v1.ISignJwtRequest, callback: Callback<protos.google.iam.credentials.v1.ISignJwtResponse, protos.google.iam.credentials.v1.ISignJwtRequest | null | undefined, {} | null | undefined>): void;
/**
* Terminate the gRPC channel and close the client.
*
* The client will no longer be usable and all future behavior is undefined.
* @returns {Promise} A promise that resolves when the client is closed.
*/
close(): Promise<void>;
}