BaseExternalAccountClient

Constructor

new BaseExternalAccountClient(options)

Instantiate a BaseExternalAccountClient instance using the provided JSON object loaded from an external account credentials file.

Parameters:

Name	Type	Description
`options`		The external account options object typically loaded from the external account JSON credential file. The camelCased options are aliases for the snake_cased options.

Members

cloudResourceManagerURL

Example

```ts
new URL('https://cloudresourcemanager.googleapis.com/v1/projects/');
```

scopes

OAuth scopes for the GCP access token to use. When not provided, the default https://www.googleapis.com/auth/cloud-platform is used.

Methods

(async) getAccessToken()

Returns:

Type	Description
	A promise that resolves with the current GCP access token response. If the current credential is expired, a new one is retrieved.

(async) getImpersonatedAccessToken(token)

Exchanges an external account GCP access token for a service account impersonated access token using iamcredentials GenerateAccessToken API.

Parameters:

Name	Type	Description
`token`		The access token to exchange for a service account access token.

Returns:

Type	Description
	A promise that resolves with the service account impersonated credentials response.

(async) getProjectId() → {projectId}

Returns:

Type Description

Type	Description
projectId	A promise that resolves with the project ID corresponding to the current workload identity pool or current workforce pool if determinable. For workforce pool credential, it returns the project ID corresponding to the workforcePoolUserProject. This is introduced to match the current pattern of using the Auth library: const projectId = await auth.getProjectId(); const url = `https://dns.googleapis.com/dns/v1/projects/$`; const res = await client.request({ url }); The resource may not have permission (resourcemanager.projects.get) to call this API or the required scopes may not be selected: https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes

projectId

A promise that resolves with the project ID corresponding to the current workload identity pool or current workforce pool if determinable. For workforce pool credential, it returns the project ID corresponding to the workforcePoolUserProject. This is introduced to match the current pattern of using the Auth library: const projectId = await auth.getProjectId(); const url = https://dns.googleapis.com/dns/v1/projects/$; const res = await client.request({ url }); The resource may not have permission (resourcemanager.projects.get) to call this API or the required scopes may not be selected: https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes

getProjectNumber(audience)

Returns the workload identity pool project number if it is determinable from the audience resource name.

Parameters:

Name	Type	Description
`audience`		The STS audience used to determine the project number.

Returns:

Type	Description
	The project number associated with the workload identity pool, if this can be determined from the STS audience field. Otherwise, null is returned.

(async) getRequestHeaders()

The main authentication interface. It takes an optional url which when present is the endpoint being accessed, and returns a Promise which resolves with authorization header fields.

The result has the form: { authorization: 'Bearer <access_token_value>' }

getScopesArray()

Returns:

Type	Description
	The list of scopes for the requested GCP access token.

getServiceAccountEmail()

The service account email to be impersonated, if available.

isExpired(accessToken)

Returns whether the provided credentials are expired or not. If there is no expiry time, assumes the token is not expired or expiring.

Parameters:

Name	Type	Description
`accessToken`		The credentials to check for expiration.

Returns:

Type	Description
	Whether the credentials are expired or not.

(async) refreshAccessTokenAsync()

Forces token refresh, even if unexpired tokens are currently cached. External credentials are exchanged for GCP access tokens via the token exchange endpoint and other settings provided in the client options object. If the service_account_impersonation_url is provided, an additional step to exchange the external account GCP access token for a service account impersonated token is performed.

Returns:

Type	Description
	A promise that resolves with the fresh GCP access tokens.

(async) requestAsync(opts, reAuthRetried)

Authenticates the provided HTTP request, processes it and resolves with the returned response.

Parameters:

Name	Type	Default	Description
`opts`			The HTTP request options.
`reAuthRetried`		false	Whether the current attempt is a retry after a failed attempt due to an auth failure.

Returns:

Type	Description
	A promise that resolves with the successful response.

setCredentials(credentials)

Provides a mechanism to inject GCP access tokens directly. When the provided credential expires, a new credential, using the external account options, is retrieved.

Parameters:

Name	Type	Description
`credentials`		The Credentials object to set on the current client.