| 1 | /**
|
| 2 | * Copyright 2021 Google LLC
|
| 3 | *
|
| 4 | * Licensed under the Apache License, Version 2.0 (the "License");
|
| 5 | * you may not use this file except in compliance with the License.
|
| 6 | * You may obtain a copy of the License at
|
| 7 | *
|
| 8 | * http://www.apache.org/licenses/LICENSE-2.0
|
| 9 | *
|
| 10 | * Unless required by applicable law or agreed to in writing, software
|
| 11 | * distributed under the License is distributed on an "AS IS" BASIS,
|
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
| 13 | * See the License for the specific language governing permissions and
|
| 14 | * limitations under the License.
|
| 15 | */
|
| 16 | import { GetTokenResponse, OAuth2Client, OAuth2ClientOptions } from './oauth2client';
|
| 17 | import { AuthClient } from './authclient';
|
| 18 | import { IdTokenProvider } from './idtokenclient';
|
| 19 | import { SignBlobResponse } from './googleauth';
|
| 20 | export interface ImpersonatedOptions extends OAuth2ClientOptions {
|
| 21 | /**
|
| 22 | * Client used to perform exchange for impersonated client.
|
| 23 | */
|
| 24 | sourceClient?: AuthClient;
|
| 25 | /**
|
| 26 | * The service account to impersonate.
|
| 27 | */
|
| 28 | targetPrincipal?: string;
|
| 29 | /**
|
| 30 | * Scopes to request during the authorization grant.
|
| 31 | */
|
| 32 | targetScopes?: string[];
|
| 33 | /**
|
| 34 | * The chained list of delegates required to grant the final access_token.
|
| 35 | */
|
| 36 | delegates?: string[];
|
| 37 | /**
|
| 38 | * Number of seconds the delegated credential should be valid.
|
| 39 | */
|
| 40 | lifetime?: number | 3600;
|
| 41 | /**
|
| 42 | * API endpoint to fetch token from.
|
| 43 | */
|
| 44 | endpoint?: string;
|
| 45 | }
|
| 46 | export declare const IMPERSONATED_ACCOUNT_TYPE = "impersonated_service_account";
|
| 47 | export interface TokenResponse {
|
| 48 | accessToken: string;
|
| 49 | expireTime: string;
|
| 50 | }
|
| 51 | export interface FetchIdTokenOptions {
|
| 52 | /**
|
| 53 | * Include the service account email in the token.
|
| 54 | * If set to `true`, the token will contain `email` and `email_verified` claims.
|
| 55 | */
|
| 56 | includeEmail: boolean;
|
| 57 | }
|
| 58 | export interface FetchIdTokenResponse {
|
| 59 | /** The OpenId Connect ID token. */
|
| 60 | token: string;
|
| 61 | }
|
| 62 | export declare class Impersonated extends OAuth2Client implements IdTokenProvider {
|
| 63 | private sourceClient;
|
| 64 | private targetPrincipal;
|
| 65 | private targetScopes;
|
| 66 | private delegates;
|
| 67 | private lifetime;
|
| 68 | private endpoint;
|
| 69 | /**
|
| 70 | * Impersonated service account credentials.
|
| 71 | *
|
| 72 | * Create a new access token by impersonating another service account.
|
| 73 | *
|
| 74 | * Impersonated Credentials allowing credentials issued to a user or
|
| 75 | * service account to impersonate another. The source project using
|
| 76 | * Impersonated Credentials must enable the "IAMCredentials" API.
|
| 77 | * Also, the target service account must grant the orginating principal
|
| 78 | * the "Service Account Token Creator" IAM role.
|
| 79 | *
|
| 80 | * @param {object} options - The configuration object.
|
| 81 | * @param {object} [options.sourceClient] the source credential used as to
|
| 82 | * acquire the impersonated credentials.
|
| 83 | * @param {string} [options.targetPrincipal] the service account to
|
| 84 | * impersonate.
|
| 85 | * @param {string[]} [options.delegates] the chained list of delegates
|
| 86 | * required to grant the final access_token. If set, the sequence of
|
| 87 | * identities must have "Service Account Token Creator" capability granted to
|
| 88 | * the preceding identity. For example, if set to [serviceAccountB,
|
| 89 | * serviceAccountC], the sourceCredential must have the Token Creator role on
|
| 90 | * serviceAccountB. serviceAccountB must have the Token Creator on
|
| 91 | * serviceAccountC. Finally, C must have Token Creator on target_principal.
|
| 92 | * If left unset, sourceCredential must have that role on targetPrincipal.
|
| 93 | * @param {string[]} [options.targetScopes] scopes to request during the
|
| 94 | * authorization grant.
|
| 95 | * @param {number} [options.lifetime] number of seconds the delegated
|
| 96 | * credential should be valid for up to 3600 seconds by default, or 43,200
|
| 97 | * seconds by extending the token's lifetime, see:
|
| 98 | * https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth
|
| 99 | * @param {string} [options.endpoint] api endpoint override.
|
| 100 | */
|
| 101 | constructor(options?: ImpersonatedOptions);
|
| 102 | /**
|
| 103 | * Signs some bytes.
|
| 104 | *
|
| 105 | * { https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob Reference Documentation}
|
| 106 | * blobToSign String to sign.
|
| 107 | *
|
| 108 | * A { SignBlobResponse} denoting the keyID and signedBlob in base64 string
|
| 109 | */
|
| 110 | sign(blobToSign: string): Promise<SignBlobResponse>;
|
| 111 | /** The service account email to be impersonated. */
|
| 112 | getTargetPrincipal(): string;
|
| 113 | /**
|
| 114 | * Refreshes the access token.
|
| 115 | */
|
| 116 | protected refreshToken(): Promise<GetTokenResponse>;
|
| 117 | /**
|
| 118 | * Generates an OpenID Connect ID token for a service account.
|
| 119 | *
|
| 120 | * {@link https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken Reference Documentation}
|
| 121 | *
|
| 122 | * @param targetAudience the audience for the fetched ID token.
|
| 123 | * @param options the for the request
|
| 124 | * @return an OpenID Connect ID token
|
| 125 | */
|
| 126 | fetchIdToken(targetAudience: string, options?: FetchIdTokenOptions): Promise<string>;
|
| 127 | }
|