UNPKG

google-auth-library

Version:

Google APIs Authentication Client Library for Node.js

github.com/googleapis/google-auth-library-nodejs

googleapis/google-auth-library-nodejs

121 lines (120 loc) 5.69 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
import { AwsSecurityCredentials } from './awsrequestsigner'; import { BaseExternalAccountClient, BaseExternalAccountClientOptions, ExternalAccountSupplierContext } from './baseexternalclient'; import { AuthClientOptions } from './authclient'; import { SnakeToCamelObject } from '../util'; /** * AWS credentials JSON interface. This is used for AWS workloads. */ export interface AwsClientOptions extends BaseExternalAccountClientOptions { /** * Object containing options to retrieve AWS security credentials. A valid credential * source or a aws security credentials supplier should be specified. */ credential_source?: { /** * AWS environment ID. Currently only 'AWS1' is supported. */ environment_id: string; /** * The EC2 metadata URL to retrieve the current AWS region from. If this is * not provided, the region should be present in the AWS_REGION or AWS_DEFAULT_REGION * environment variables. */ region_url?: string; /** * The EC2 metadata URL to retrieve AWS security credentials. If this is not provided, * the credentials should be present in the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, * and AWS_SESSION_TOKEN environment variables. */ url?: string; /** * The regional GetCallerIdentity action URL, used to determine the account * ID and its roles. */ regional_cred_verification_url: string; /** * The imdsv2 session token url is used to fetch session token from AWS * which is later sent through headers for metadata requests. If the * field is missing, then session token won't be fetched and sent with * the metadata requests. * The session token is required for IMDSv2 but optional for IMDSv1 */ imdsv2_session_token_url?: string; }; /** * The AWS security credentials supplier to call to retrieve the AWS region * and AWS security credentials. Either this or a valid credential source * must be specified. */ aws_security_credentials_supplier?: AwsSecurityCredentialsSupplier; } /** * Supplier interface for AWS security credentials. This can be implemented to * return an AWS region and AWS security credentials. These credentials can * then be exchanged for a GCP token by an {@link AwsClient}. */ export interface AwsSecurityCredentialsSupplier { /** * Gets the active AWS region. * @param context {@link ExternalAccountSupplierContext} from the calling * {@link AwsClient}, contains the requested audience and subject token type * for the external account identity as well as the transport from the * calling client to use for requests. * @return A promise that resolves with the AWS region string. */ getAwsRegion: (context: ExternalAccountSupplierContext) => Promise<string>; /** * Gets valid AWS security credentials for the requested external account * identity. Note that these are not cached by the calling {@link AwsClient}, * so caching should be including in the implementation. * @param context {@link ExternalAccountSupplierContext} from the calling * {@link AwsClient}, contains the requested audience and subject token type * for the external account identity as well as the transport from the * calling client to use for requests. * @return A promise that resolves with the requested {@link AwsSecurityCredentials}. */ getAwsSecurityCredentials: (context: ExternalAccountSupplierContext) => Promise<AwsSecurityCredentials>; } /** * AWS external account client. This is used for AWS workloads, where * AWS STS GetCallerIdentity serialized signed requests are exchanged for * GCP access token. */ export declare class AwsClient extends BaseExternalAccountClient { #private; private readonly environmentId?; private readonly awsSecurityCredentialsSupplier; private readonly regionalCredVerificationUrl; private awsRequestSigner; private region; /** * @deprecated AWS client no validates the EC2 metadata address. **/ static AWS_EC2_METADATA_IPV4_ADDRESS: string; /** * @deprecated AWS client no validates the EC2 metadata address. **/ static AWS_EC2_METADATA_IPV6_ADDRESS: string; /** * Instantiates an AwsClient instance using the provided JSON * object loaded from an external account credentials file. * An error is thrown if the credential is not a valid AWS credential. * @param options The external account options object typically loaded * from the external account JSON credential file. * @param additionalOptions **DEPRECATED, all options are available in the * `options` parameter.** Optional additional behavior customization options. * These currently customize expiration threshold time and whether to retry * on 401/403 API request errors. */ constructor(options: AwsClientOptions | SnakeToCamelObject<AwsClientOptions>, additionalOptions?: AuthClientOptions); private validateEnvironmentId; /** * Triggered when an external subject token is needed to be exchanged for a * GCP access token via GCP STS endpoint. This will call the * {@link AwsSecurityCredentialsSupplier} to retrieve an AWS region and AWS * Security Credentials, then use them to create a signed AWS STS request that * can be exchanged for a GCP access token. * @return A promise that resolves with the external subject token. */ retrieveSubjectToken(): Promise<string>; }