Class v1.IAMCredentialsClient (2.0.4)

A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.

Service account credentials are used to temporarily assume the identity of the service account. Supported credential types include OAuth 2.0 access tokens, OpenID Connect ID tokens, self-signed JSON Web Tokens (JWTs), and more. v1

Package

@google-cloud/iam-credentials

Constructors

(constructor)(opts, gaxInstance)

constructor(opts?: ClientOptions, gaxInstance?: typeof gax | typeof gax.fallback);

Construct an instance of IAMCredentialsClient.

Parameters
Name	Description
`opts`	`ClientOptions`
`gaxInstance`	`typeof gax \| typeof gax.fallback` : loaded instance of `google-gax`. Useful if you need to avoid loading the default gRPC version and want to use the fallback HTTP implementation. Load only fallback version and pass it to the constructor: ``` const gax = require('google-gax/build/src/fallback'); // avoids loading google-gax with gRPC const client = new IAMCredentialsClient({fallback: 'rest'}, gax); ```

Properties

apiEndpoint

static get apiEndpoint(): string;

The DNS address for this API service - same as servicePath(), exists for compatibility reasons.

auth

auth: gax.GoogleAuth;

descriptors

descriptors: Descriptors;

iAMCredentialsStub

iAMCredentialsStub?: Promise<{
        [name: string]: Function;
    }>;

innerApiCalls

innerApiCalls: {
        [name: string]: Function;
    };

port

static get port(): number;

The port for this API service.

scopes

static get scopes(): string[];

The scopes needed to make gRPC calls for every method defined in this service.

servicePath

static get servicePath(): string;

The DNS address for this API service.

warn

warn: (code: string, message: string, warnType?: string) => void;

Methods

close()

close(): Promise<void>;

Terminate the gRPC channel and close the client.

The client will no longer be usable and all future behavior is undefined.

Returns
Type	Description
`Promise<void>`	{Promise} A promise that resolves when the client is closed.

generateAccessToken(request, options)

generateAccessToken(request?: protos.google.iam.credentials.v1.IGenerateAccessTokenRequest, options?: CallOptions): Promise<[
        protos.google.iam.credentials.v1.IGenerateAccessTokenResponse,
        protos.google.iam.credentials.v1.IGenerateAccessTokenRequest | undefined,
        {} | undefined
    ]>;

Generates an OAuth 2.0 access token for a service account.

Parameters
Name	Description
`request`	`protos.google.iam.credentials.v1.IGenerateAccessTokenRequest` The request object that will be sent.
`options`	`CallOptions` Call options. See CallOptions for more details.

Returns
Type	Description
`Promise<[ protos.google.iam.credentials.v1.IGenerateAccessTokenResponse, protos.google.iam.credentials.v1.IGenerateAccessTokenRequest \| undefined, {} \| undefined ]>`	{Promise} - The promise which resolves to an array. The first element of the array is an object representing . Please see the [documentation](https://github.com/googleapis/gax-nodejs/blob/master/client-libraries.md#regular-methods) for more details and examples.

Example


  /**
   * This snippet has been automatically generated and should be regarded as a code template only.
   * It will require modifications to work.
   * It may require correct/in-range values for request initialization.
   * TODO(developer): Uncomment these variables before running the sample.
   */
  /**
   *  Required. The resource name of the service account for which the credentials
   *  are requested, in the following format:
   *  `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
   *  character is required; replacing it with a project ID is invalid.
   */
  // const name = 'abc123'
  /**
   *  The sequence of service accounts in a delegation chain. Each service
   *  account must be granted the `roles/iam.serviceAccountTokenCreator` role
   *  on its next service account in the chain. The last service account in the
   *  chain must be granted the `roles/iam.serviceAccountTokenCreator` role
   *  on the service account that is specified in the `name` field of the
   *  request.
   *  The delegates must have the following format:
   *  `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
   *  character is required; replacing it with a project ID is invalid.
   */
  // const delegates = 'abc123'
  /**
   *  Required. Code to identify the scopes to be included in the OAuth 2.0 access token.
   *  See https://developers.google.com/identity/protocols/googlescopes for more
   *  information.
   *  At least one value required.
   */
  // const scope = 'abc123'
  /**
   *  The desired lifetime duration of the access token in seconds.
   *  Must be set to a value less than or equal to 3600 (1 hour). If a value is
   *  not specified, the token's lifetime will be set to a default value of one
   *  hour.
   */
  // const lifetime = {}

  // Imports the Credentials library
  const {IAMCredentialsClient} = require('@google-cloud/iam-credentials').v1;

  // Instantiates a client
  const credentialsClient = new IAMCredentialsClient();

  async function callGenerateAccessToken() {
    // Construct request
    const request = {
      name,
      scope,
    };

    // Run request
    const response = await credentialsClient.generateAccessToken(request);
    console.log(response);
  }

  callGenerateAccessToken();

generateAccessToken(request, options, callback)

generateAccessToken(request: protos.google.iam.credentials.v1.IGenerateAccessTokenRequest, options: CallOptions, callback: Callback<protos.google.iam.credentials.v1.IGenerateAccessTokenResponse, protos.google.iam.credentials.v1.IGenerateAccessTokenRequest | null | undefined, {} | null | undefined>): void;

Parameters
Name	Description
`request`	`protos.google.iam.credentials.v1.IGenerateAccessTokenRequest`
`options`	`CallOptions`
`callback`	`Callback<protos.google.iam.credentials.v1.IGenerateAccessTokenResponse, protos.google.iam.credentials.v1.IGenerateAccessTokenRequest \| null \| undefined, {} \| null \| undefined>`

Returns
Type	Description
`void`

generateAccessToken(request, callback)

generateAccessToken(request: protos.google.iam.credentials.v1.IGenerateAccessTokenRequest, callback: Callback<protos.google.iam.credentials.v1.IGenerateAccessTokenResponse, protos.google.iam.credentials.v1.IGenerateAccessTokenRequest | null | undefined, {} | null | undefined>): void;

Parameters
Name	Description
`request`	`protos.google.iam.credentials.v1.IGenerateAccessTokenRequest`
`callback`	`Callback<protos.google.iam.credentials.v1.IGenerateAccessTokenResponse, protos.google.iam.credentials.v1.IGenerateAccessTokenRequest \| null \| undefined, {} \| null \| undefined>`

Returns
Type	Description
`void`

generateIdToken(request, options)

generateIdToken(request?: protos.google.iam.credentials.v1.IGenerateIdTokenRequest, options?: CallOptions): Promise<[
        protos.google.iam.credentials.v1.IGenerateIdTokenResponse,
        protos.google.iam.credentials.v1.IGenerateIdTokenRequest | undefined,
        {} | undefined
    ]>;

Generates an OpenID Connect ID token for a service account.

Parameters
Name	Description
`request`	`protos.google.iam.credentials.v1.IGenerateIdTokenRequest` The request object that will be sent.
`options`	`CallOptions` Call options. See CallOptions for more details.

Returns
Type	Description
`Promise<[ protos.google.iam.credentials.v1.IGenerateIdTokenResponse, protos.google.iam.credentials.v1.IGenerateIdTokenRequest \| undefined, {} \| undefined ]>`	{Promise} - The promise which resolves to an array. The first element of the array is an object representing . Please see the [documentation](https://github.com/googleapis/gax-nodejs/blob/master/client-libraries.md#regular-methods) for more details and examples.

Example


  /**
   * This snippet has been automatically generated and should be regarded as a code template only.
   * It will require modifications to work.
   * It may require correct/in-range values for request initialization.
   * TODO(developer): Uncomment these variables before running the sample.
   */
  /**
   *  Required. The resource name of the service account for which the credentials
   *  are requested, in the following format:
   *  `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
   *  character is required; replacing it with a project ID is invalid.
   */
  // const name = 'abc123'
  /**
   *  The sequence of service accounts in a delegation chain. Each service
   *  account must be granted the `roles/iam.serviceAccountTokenCreator` role
   *  on its next service account in the chain. The last service account in the
   *  chain must be granted the `roles/iam.serviceAccountTokenCreator` role
   *  on the service account that is specified in the `name` field of the
   *  request.
   *  The delegates must have the following format:
   *  `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
   *  character is required; replacing it with a project ID is invalid.
   */
  // const delegates = 'abc123'
  /**
   *  Required. The audience for the token, such as the API or account that this token
   *  grants access to.
   */
  // const audience = 'abc123'
  /**
   *  Include the service account email in the token. If set to `true`, the
   *  token will contain `email` and `email_verified` claims.
   */
  // const includeEmail = true

  // Imports the Credentials library
  const {IAMCredentialsClient} = require('@google-cloud/iam-credentials').v1;

  // Instantiates a client
  const credentialsClient = new IAMCredentialsClient();

  async function callGenerateIdToken() {
    // Construct request
    const request = {
      name,
      audience,
    };

    // Run request
    const response = await credentialsClient.generateIdToken(request);
    console.log(response);
  }

  callGenerateIdToken();

generateIdToken(request, options, callback)

generateIdToken(request: protos.google.iam.credentials.v1.IGenerateIdTokenRequest, options: CallOptions, callback: Callback<protos.google.iam.credentials.v1.IGenerateIdTokenResponse, protos.google.iam.credentials.v1.IGenerateIdTokenRequest | null | undefined, {} | null | undefined>): void;

Parameters
Name	Description
`request`	`protos.google.iam.credentials.v1.IGenerateIdTokenRequest`
`options`	`CallOptions`
`callback`	`Callback<protos.google.iam.credentials.v1.IGenerateIdTokenResponse, protos.google.iam.credentials.v1.IGenerateIdTokenRequest \| null \| undefined, {} \| null \| undefined>`

Returns
Type	Description
`void`

generateIdToken(request, callback)

generateIdToken(request: protos.google.iam.credentials.v1.IGenerateIdTokenRequest, callback: Callback<protos.google.iam.credentials.v1.IGenerateIdTokenResponse, protos.google.iam.credentials.v1.IGenerateIdTokenRequest | null | undefined, {} | null | undefined>): void;

Parameters
Name	Description
`request`	`protos.google.iam.credentials.v1.IGenerateIdTokenRequest`
`callback`	`Callback<protos.google.iam.credentials.v1.IGenerateIdTokenResponse, protos.google.iam.credentials.v1.IGenerateIdTokenRequest \| null \| undefined, {} \| null \| undefined>`

Returns
Type	Description
`void`

getProjectId()

getProjectId(): Promise<string>;

Returns
Type	Description
`Promise<string>`

getProjectId(callback)

getProjectId(callback: Callback<string, undefined, undefined>): void;

Parameter
Name	Description
`callback`	`Callback<string, undefined, undefined>`

Returns
Type	Description
`void`

initialize()

initialize(): Promise<{
        [name: string]: Function;
    }>;

Initialize the client. Performs asynchronous operations (such as authentication) and prepares the client. This function will be called automatically when any class method is called for the first time, but if you need to initialize it before calling an actual method, feel free to call initialize() directly.

You can await on this method if you want to make sure the client is initialized.

Returns
Type	Description
`Promise<{ [name: string]: Function; }>`	{Promise} A promise that resolves to an authenticated service stub.

signBlob(request, options)

signBlob(request?: protos.google.iam.credentials.v1.ISignBlobRequest, options?: CallOptions): Promise<[
        protos.google.iam.credentials.v1.ISignBlobResponse,
        protos.google.iam.credentials.v1.ISignBlobRequest | undefined,
        {} | undefined
    ]>;

Signs a blob using a service account's system-managed private key.

Parameters
Name	Description
`request`	`protos.google.iam.credentials.v1.ISignBlobRequest` The request object that will be sent.
`options`	`CallOptions` Call options. See CallOptions for more details.

Returns
Type	Description
`Promise<[ protos.google.iam.credentials.v1.ISignBlobResponse, protos.google.iam.credentials.v1.ISignBlobRequest \| undefined, {} \| undefined ]>`	{Promise} - The promise which resolves to an array. The first element of the array is an object representing . Please see the [documentation](https://github.com/googleapis/gax-nodejs/blob/master/client-libraries.md#regular-methods) for more details and examples.

Example


  /**
   * This snippet has been automatically generated and should be regarded as a code template only.
   * It will require modifications to work.
   * It may require correct/in-range values for request initialization.
   * TODO(developer): Uncomment these variables before running the sample.
   */
  /**
   *  Required. The resource name of the service account for which the credentials
   *  are requested, in the following format:
   *  `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
   *  character is required; replacing it with a project ID is invalid.
   */
  // const name = 'abc123'
  /**
   *  The sequence of service accounts in a delegation chain. Each service
   *  account must be granted the `roles/iam.serviceAccountTokenCreator` role
   *  on its next service account in the chain. The last service account in the
   *  chain must be granted the `roles/iam.serviceAccountTokenCreator` role
   *  on the service account that is specified in the `name` field of the
   *  request.
   *  The delegates must have the following format:
   *  `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
   *  character is required; replacing it with a project ID is invalid.
   */
  // const delegates = 'abc123'
  /**
   *  Required. The bytes to sign.
   */
  // const payload = 'Buffer.from('string')'

  // Imports the Credentials library
  const {IAMCredentialsClient} = require('@google-cloud/iam-credentials').v1;

  // Instantiates a client
  const credentialsClient = new IAMCredentialsClient();

  async function callSignBlob() {
    // Construct request
    const request = {
      name,
      payload,
    };

    // Run request
    const response = await credentialsClient.signBlob(request);
    console.log(response);
  }

  callSignBlob();

signBlob(request, options, callback)

signBlob(request: protos.google.iam.credentials.v1.ISignBlobRequest, options: CallOptions, callback: Callback<protos.google.iam.credentials.v1.ISignBlobResponse, protos.google.iam.credentials.v1.ISignBlobRequest | null | undefined, {} | null | undefined>): void;

Parameters
Name	Description
`request`	`protos.google.iam.credentials.v1.ISignBlobRequest`
`options`	`CallOptions`
`callback`	`Callback<protos.google.iam.credentials.v1.ISignBlobResponse, protos.google.iam.credentials.v1.ISignBlobRequest \| null \| undefined, {} \| null \| undefined>`

Returns
Type	Description
`void`

signBlob(request, callback)

signBlob(request: protos.google.iam.credentials.v1.ISignBlobRequest, callback: Callback<protos.google.iam.credentials.v1.ISignBlobResponse, protos.google.iam.credentials.v1.ISignBlobRequest | null | undefined, {} | null | undefined>): void;

Parameters
Name	Description
`request`	`protos.google.iam.credentials.v1.ISignBlobRequest`
`callback`	`Callback<protos.google.iam.credentials.v1.ISignBlobResponse, protos.google.iam.credentials.v1.ISignBlobRequest \| null \| undefined, {} \| null \| undefined>`

Returns
Type	Description
`void`

signJwt(request, options)

signJwt(request?: protos.google.iam.credentials.v1.ISignJwtRequest, options?: CallOptions): Promise<[
        protos.google.iam.credentials.v1.ISignJwtResponse,
        protos.google.iam.credentials.v1.ISignJwtRequest | undefined,
        {} | undefined
    ]>;

Signs a JWT using a service account's system-managed private key.

Parameters
Name	Description
`request`	`protos.google.iam.credentials.v1.ISignJwtRequest` The request object that will be sent.
`options`	`CallOptions` Call options. See CallOptions for more details.

Returns
Type	Description
`Promise<[ protos.google.iam.credentials.v1.ISignJwtResponse, protos.google.iam.credentials.v1.ISignJwtRequest \| undefined, {} \| undefined ]>`	{Promise} - The promise which resolves to an array. The first element of the array is an object representing . Please see the [documentation](https://github.com/googleapis/gax-nodejs/blob/master/client-libraries.md#regular-methods) for more details and examples.

Example


  /**
   * This snippet has been automatically generated and should be regarded as a code template only.
   * It will require modifications to work.
   * It may require correct/in-range values for request initialization.
   * TODO(developer): Uncomment these variables before running the sample.
   */
  /**
   *  Required. The resource name of the service account for which the credentials
   *  are requested, in the following format:
   *  `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
   *  character is required; replacing it with a project ID is invalid.
   */
  // const name = 'abc123'
  /**
   *  The sequence of service accounts in a delegation chain. Each service
   *  account must be granted the `roles/iam.serviceAccountTokenCreator` role
   *  on its next service account in the chain. The last service account in the
   *  chain must be granted the `roles/iam.serviceAccountTokenCreator` role
   *  on the service account that is specified in the `name` field of the
   *  request.
   *  The delegates must have the following format:
   *  `projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}`. The `-` wildcard
   *  character is required; replacing it with a project ID is invalid.
   */
  // const delegates = 'abc123'
  /**
   *  Required. The JWT payload to sign: a JSON object that contains a JWT Claims Set.
   */
  // const payload = 'abc123'

  // Imports the Credentials library
  const {IAMCredentialsClient} = require('@google-cloud/iam-credentials').v1;

  // Instantiates a client
  const credentialsClient = new IAMCredentialsClient();

  async function callSignJwt() {
    // Construct request
    const request = {
      name,
      payload,
    };

    // Run request
    const response = await credentialsClient.signJwt(request);
    console.log(response);
  }

  callSignJwt();

signJwt(request, options, callback)

signJwt(request: protos.google.iam.credentials.v1.ISignJwtRequest, options: CallOptions, callback: Callback<protos.google.iam.credentials.v1.ISignJwtResponse, protos.google.iam.credentials.v1.ISignJwtRequest | null | undefined, {} | null | undefined>): void;

Parameters
Name	Description
`request`	`protos.google.iam.credentials.v1.ISignJwtRequest`
`options`	`CallOptions`
`callback`	`Callback<protos.google.iam.credentials.v1.ISignJwtResponse, protos.google.iam.credentials.v1.ISignJwtRequest \| null \| undefined, {} \| null \| undefined>`

Returns
Type	Description
`void`

signJwt(request, callback)

signJwt(request: protos.google.iam.credentials.v1.ISignJwtRequest, callback: Callback<protos.google.iam.credentials.v1.ISignJwtResponse, protos.google.iam.credentials.v1.ISignJwtRequest | null | undefined, {} | null | undefined>): void;

Parameters
Name	Description
`request`	`protos.google.iam.credentials.v1.ISignJwtRequest`
`callback`	`Callback<protos.google.iam.credentials.v1.ISignJwtResponse, protos.google.iam.credentials.v1.ISignJwtRequest \| null \| undefined, {} \| null \| undefined>`

Returns
Type	Description
`void`