1 | import { BaseExternalAccountClient, BaseExternalAccountClientOptions, ExternalAccountSupplierContext } from './baseexternalclient';
|
2 | import { AuthClientOptions } from './authclient';
|
3 | import { SnakeToCamelObject } from '../util';
|
4 | export type SubjectTokenFormatType = 'json' | 'text';
|
5 | export interface SubjectTokenJsonResponse {
|
6 | [key: string]: string;
|
7 | }
|
8 | /**
|
9 | * Supplier interface for subject tokens. This can be implemented to
|
10 | * return a subject token which can then be exchanged for a GCP token by an
|
11 | * {@link IdentityPoolClient}.
|
12 | */
|
13 | export interface SubjectTokenSupplier {
|
14 | /**
|
15 | * Gets a valid subject token for the requested external account identity.
|
16 | * Note that these are not cached by the calling {@link IdentityPoolClient},
|
17 | * so caching should be including in the implementation.
|
18 | * @param context {@link ExternalAccountSupplierContext} from the calling
|
19 | * {@link IdentityPoolClient}, contains the requested audience and subject token type
|
20 | * for the external account identity as well as the transport from the
|
21 | * calling client to use for requests.
|
22 | * @return A promise that resolves with the requested subject token string.
|
23 | */
|
24 | getSubjectToken: (context: ExternalAccountSupplierContext) => Promise<string>;
|
25 | }
|
26 | /**
|
27 | * Url-sourced/file-sourced credentials json interface.
|
28 | * This is used for K8s and Azure workloads.
|
29 | */
|
30 | export interface IdentityPoolClientOptions extends BaseExternalAccountClientOptions {
|
31 | /**
|
32 | * Object containing options to retrieve identity pool credentials. A valid credential
|
33 | * source or a subject token supplier must be specified.
|
34 | */
|
35 | credential_source?: {
|
36 | /**
|
37 | * The file location to read the subject token from. Either this or a URL
|
38 | * should be specified.
|
39 | */
|
40 | file?: string;
|
41 | /**
|
42 | * The URL to call to retrieve the subject token. Either this or a file
|
43 | * location should be specified.
|
44 | */
|
45 | url?: string;
|
46 | /**
|
47 | * Optional headers to send on the request to the specified URL.
|
48 | */
|
49 | headers?: {
|
50 | [key: string]: string;
|
51 | };
|
52 | /**
|
53 | * The format that the subject token is in the file or the URL response.
|
54 | * If not provided, will default to reading the text string directly.
|
55 | */
|
56 | format?: {
|
57 | /**
|
58 | * The format type. Can either be 'text' or 'json'.
|
59 | */
|
60 | type: SubjectTokenFormatType;
|
61 | /**
|
62 | * The field name containing the subject token value if the type is 'json'.
|
63 | */
|
64 | subject_token_field_name?: string;
|
65 | };
|
66 | };
|
67 | /**
|
68 | * The subject token supplier to call to retrieve the subject token to exchange
|
69 | * for a GCP access token. Either this or a valid credential source should
|
70 | * be specified.
|
71 | */
|
72 | subject_token_supplier?: SubjectTokenSupplier;
|
73 | }
|
74 | /**
|
75 | * Defines the Url-sourced and file-sourced external account clients mainly
|
76 | * used for K8s and Azure workloads.
|
77 | */
|
78 | export declare class IdentityPoolClient extends BaseExternalAccountClient {
|
79 | private readonly subjectTokenSupplier;
|
80 | /**
|
81 | * Instantiate an IdentityPoolClient instance using the provided JSON
|
82 | * object loaded from an external account credentials file.
|
83 | * An error is thrown if the credential is not a valid file-sourced or
|
84 | * url-sourced credential or a workforce pool user project is provided
|
85 | * with a non workforce audience.
|
86 | * @param options The external account options object typically loaded
|
87 | * from the external account JSON credential file. The camelCased options
|
88 | * are aliases for the snake_cased options.
|
89 | * @param additionalOptions **DEPRECATED, all options are available in the
|
90 | * `options` parameter.** Optional additional behavior customization options.
|
91 | * These currently customize expiration threshold time and whether to retry
|
92 | * on 401/403 API request errors.
|
93 | */
|
94 | constructor(options: IdentityPoolClientOptions | SnakeToCamelObject<IdentityPoolClientOptions>, additionalOptions?: AuthClientOptions);
|
95 | /**
|
96 | * Triggered when a external subject token is needed to be exchanged for a GCP
|
97 | * access token via GCP STS endpoint. Gets a subject token by calling
|
98 | * the configured { SubjectTokenSupplier}
|
99 | * with the external subject token.
A promise that resolves |
100 | */
|
101 | retrieveSubjectToken(): Promise<string>;
|
102 | }
|