Impersonated

Impersonated

new Impersonated(options)

Impersonated service account credentials.

Create a new access token by impersonating another service account.

Impersonated Credentials allowing credentials issued to a user or service account to impersonate another. The source project using Impersonated Credentials must enable the "IAMCredentials" API. Also, the target service account must grant the orginating principal the "Service Account Token Creator" IAM role.

Parameters:
Name Type Description
options object

The configuration object.

Properties
Name Type Attributes Description
sourceClient object <optional>

the source credential used as to acquire the impersonated credentials.
targetPrincipal string <optional>

the service account to impersonate.
delegates Array.<string> <optional>

the chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the preceding identity. For example, if set to [serviceAccountB, serviceAccountC], the sourceCredential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, sourceCredential must have that role on targetPrincipal.
targetScopes Array.<string> <optional>

scopes to request during the authorization grant.
lifetime number <optional>

number of seconds the delegated credential should be valid for up to 3600 seconds by default, or 43,200 seconds by extending the token's lifetime, see: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oauth
endpoint string <optional>

api endpoint override.

Methods

(async) fetchIdToken(targetAudience, options)

Generates an OpenID Connect ID token for a service account.

Reference Documentation

Parameters:
Name Type Description
targetAudience

the audience for the fetched ID token.
options

the for the request
Returns:
Type Description

an OpenID Connect ID token

getTargetPrincipal()

The service account email to be impersonated.

(async) refreshToken()

Refreshes the access token.

(async) sign(blobToSign)

Signs some bytes.

Reference Documentation

Parameters:
Name Type Description
blobToSign

String to sign.
Returns:
Type Description

A SignBlobResponse denoting the keyID and signedBlob in base64 string