IAMCredentialsClient

IAMCredentialsClient

A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.

Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more.

Constructor

new IAMCredentialsClient(optionsopt)

Construct an instance of IAMCredentialsClient.

Parameters:
Name Type Attributes Description
options object <optional>

The configuration object. The options accepted by the constructor are described in detail in this document. The common options are:

Properties
Name Type Attributes Description
credentials object <optional>

Credentials object.

Properties
Name Type Attributes Description
client_email string <optional>
private_key string <optional>
email string <optional>

Account email address. Required when using a .pem or .p12 keyFilename.
keyFilename string <optional>

Full path to the a .json, .pem, or .p12 key downloaded from the Google Developers Console. If you provide a path to a JSON file, the projectId option below is not necessary. NOTE: .pem and .p12 require you to specify options.email as well.
port number <optional>

The port on which to connect to the remote host.
projectId string <optional>

The project ID from the Google Developer's Console, e.g. 'grape-spaceship-123'. We will also check the environment variable GCLOUD_PROJECT for your project ID. If your app is running in an environment which supports Application Default Credentials, your project ID will be detected automatically.
apiEndpoint string <optional>

The domain name of the API remote host.
clientConfig gax.ClientConfig <optional>

Client configuration override. Follows the structure of gapicConfig.
fallback boolean <optional>

Use HTTP fallback mode. In fallback mode, a special browser-compatible transport implementation is used instead of gRPC transport. In browser context (if the window object is defined) the fallback mode is enabled automatically; set options.fallback to false if you need to override this behavior.

Members

apiEndpoint

The DNS address for this API service - same as servicePath(), exists for compatibility reasons.

port

The port for this API service.

scopes

The scopes needed to make gRPC calls for every method defined in this service.

servicePath

The DNS address for this API service.

Methods

close() → {Promise}

Terminate the gRPC channel and close the client.

The client will no longer be usable and all future behavior is undefined.

Returns:
Type Description
Promise

A promise that resolves when the client is closed.

generateAccessToken(request, optionsopt) → {Promise}

Generates an OAuth 2.0 access token for a service account.

Parameters:
Name Type Attributes Description
request Object

The request object that will be sent.

Properties
Name Type Description
name string

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
delegates Array.<string>

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
scope Array.<string>

Required. Code to identify the scopes to be included in the OAuth 2.0 access token. See https://developers.google.com/identity/protocols/googlescopes for more information. At least one value required.
lifetime google.protobuf.Duration

The desired lifetime duration of the access token in seconds. Must be set to a value less than or equal to 3600 (1 hour). If a value is not specified, the token's lifetime will be set to a default value of one hour.
options object <optional>

Call options. See CallOptions for more details.
Returns:
Type Description
Promise
Example
const [response] = await client.generateAccessToken(request);

generateIdToken(request, optionsopt) → {Promise}

Generates an OpenID Connect ID token for a service account.

Parameters:
Name Type Attributes Description
request Object

The request object that will be sent.

Properties
Name Type Description
name string

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
delegates Array.<string>

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
audience string

Required. The audience for the token, such as the API or account that this token grants access to.
includeEmail boolean

Include the service account email in the token. If set to true, the token will contain email and email_verified claims.
options object <optional>

Call options. See CallOptions for more details.
Returns:
Type Description
Promise
  • The promise which resolves to an array. The first element of the array is an object representing GenerateIdTokenResponse. Please see the documentation for more details and examples.
Example
const [response] = await client.generateIdToken(request);

getProjectId() → {Promise}

Return the project ID used by this class.

Returns:
Type Description
Promise

A promise that resolves to string containing the project ID.

initialize() → {Promise}

Initialize the client. Performs asynchronous operations (such as authentication) and prepares the client. This function will be called automatically when any class method is called for the first time, but if you need to initialize it before calling an actual method, feel free to call initialize() directly.

You can await on this method if you want to make sure the client is initialized.

Returns:
Type Description
Promise

A promise that resolves to an authenticated service stub.

signBlob(request, optionsopt) → {Promise}

Signs a blob using a service account's system-managed private key.

Parameters:
Name Type Attributes Description
request Object

The request object that will be sent.

Properties
Name Type Description
name string

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
delegates Array.<string>

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
payload Buffer

Required. The bytes to sign.
options object <optional>

Call options. See CallOptions for more details.
Returns:
Type Description
Promise
  • The promise which resolves to an array. The first element of the array is an object representing SignBlobResponse. Please see the documentation for more details and examples.
Example
const [response] = await client.signBlob(request);

signJwt(request, optionsopt) → {Promise}

Signs a JWT using a service account's system-managed private key.

Parameters:
Name Type Attributes Description
request Object

The request object that will be sent.

Properties
Name Type Description
name string

Required. The resource name of the service account for which the credentials are requested, in the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
delegates Array.<string>

The sequence of service accounts in a delegation chain. Each service account must be granted the roles/iam.serviceAccountTokenCreator role on its next service account in the chain. The last service account in the chain must be granted the roles/iam.serviceAccountTokenCreator role on the service account that is specified in the name field of the request.

The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
payload string

Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
options object <optional>

Call options. See CallOptions for more details.
Returns:
Type Description
Promise
  • The promise which resolves to an array. The first element of the array is an object representing SignJwtResponse. Please see the documentation for more details and examples.
Example
const [response] = await client.signJwt(request);