1 | /**
|
2 | * Copyright 2021 Google LLC
|
3 | *
|
4 | * Licensed under the Apache License, Version 2.0 (the "License");
|
5 | * you may not use this file except in compliance with the License.
|
6 | * You may obtain a copy of the License at
|
7 | *
|
8 | * http://www.apache.org/licenses/LICENSE-2.0
|
9 | *
|
10 | * Unless required by applicable law or agreed to in writing, software
|
11 | * distributed under the License is distributed on an "AS IS" BASIS,
|
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13 | * See the License for the specific language governing permissions and
|
14 | * limitations under the License.
|
15 | */
|
16 | import { GetTokenResponse, OAuth2Client, RefreshOptions } from './oauth2client';
|
17 | import { AuthClient } from './authclient';
|
18 | export interface ImpersonatedOptions extends RefreshOptions {
|
19 | /**
|
20 | * Client used to perform exchange for impersonated client.
|
21 | */
|
22 | sourceClient?: AuthClient;
|
23 | /**
|
24 | * The service account to impersonate.
|
25 | */
|
26 | targetPrincipal?: string;
|
27 | /**
|
28 | * Scopes to request during the authorization grant.
|
29 | */
|
30 | targetScopes?: string[];
|
31 | /**
|
32 | * The chained list of delegates required to grant the final access_token.
|
33 | */
|
34 | delegates?: string[];
|
35 | /**
|
36 | * Number of seconds the delegated credential should be valid.
|
37 | */
|
38 | lifetime?: number | 3600;
|
39 | /**
|
40 | * API endpoint to fetch token from.
|
41 | */
|
42 | endpoint?: string;
|
43 | }
|
44 | export interface TokenResponse {
|
45 | accessToken: string;
|
46 | expireTime: string;
|
47 | }
|
48 | export declare class Impersonated extends OAuth2Client {
|
49 | private sourceClient;
|
50 | private targetPrincipal;
|
51 | private targetScopes;
|
52 | private delegates;
|
53 | private lifetime;
|
54 | private endpoint;
|
55 | /**
|
56 | * Impersonated service account credentials.
|
57 | *
|
58 | * Create a new access token by impersonating another service account.
|
59 | *
|
60 | * Impersonated Credentials allowing credentials issued to a user or
|
61 | * service account to impersonate another. The source project using
|
62 | * Impersonated Credentials must enable the "IAMCredentials" API.
|
63 | * Also, the target service account must grant the orginating principal
|
64 | * the "Service Account Token Creator" IAM role.
|
65 | *
|
66 | * @param {object} options - The configuration object.
|
67 | * @param {object} [options.sourceClient] the source credential used as to
|
68 | * acquire the impersonated credentials.
|
69 | * @param {string} [options.targetPrincipal] the service account to
|
70 | * impersonate.
|
71 | * @param {string[]} [options.delegates] the chained list of delegates
|
72 | * required to grant the final access_token. If set, the sequence of
|
73 | * identities must have "Service Account Token Creator" capability granted to
|
74 | * the preceding identity. For example, if set to [serviceAccountB,
|
75 | * serviceAccountC], the sourceCredential must have the Token Creator role on
|
76 | * serviceAccountB. serviceAccountB must have the Token Creator on
|
77 | * serviceAccountC. Finally, C must have Token Creator on target_principal.
|
78 | * If left unset, sourceCredential must have that role on targetPrincipal.
|
79 | * @param {string[]} [options.targetScopes] scopes to request during the
|
80 | * authorization grant.
|
81 | * @param {number} [options.lifetime] number of seconds the delegated
|
82 | * credential should be valid for up to 3600 seconds by default, or 43,200
|
83 | * seconds by extending the token's lifetime, see:
|
84 | * https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth
|
85 | * @param {string} [options.endpoint] api endpoint override.
|
86 | */
|
87 | constructor(options?: ImpersonatedOptions);
|
88 | /**
|
89 | * Refreshes the access token.
|
90 | * @param refreshToken Unused parameter
|
91 | */
|
92 | protected refreshToken(refreshToken?: string | null): Promise<GetTokenResponse>;
|
93 | }
|