GoogleCloudPlatform · FrodoTheTrue · Sep 16, 2022 · Sep 16, 2022 · Sep 16, 2022 · Sep 26, 2022
@@ -0,0 +1,73 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/**
+ * Lists storage buckets by authenticating with ADC.
+ */
+function main() {
+ // [START auth_cloud_explicit_adc]
+ /**
+ * TODO(developer):
+ * 1. Set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc
+ * 2. Make sure you have the necessary permission to list storage buckets "storage.buckets.list"
+ */
+
+ const {GoogleAuth} = require('google-auth-library');
+ const {Storage} = require('@google-cloud/storage');
+
+ async function authenticateExplicit() {
+ const googleAuth = new GoogleAuth({
+ scopes: 'https://www.googleapis.com/auth/cloud-platform',
+ });
+
+ // Construct the Google credentials object which obtains the default configuration from your
+ // working environment.
+ // googleAuth.getApplicationDefault() will give you ComputeEngineCredentials
+ // if you are on a GCE (or other metadata server supported environments).
+ const {credential, projectId} = await googleAuth.getApplicationDefault();
+ // If you are authenticating to a Cloud API, you can let the library include the default scope,
+ // https://www.googleapis.com/auth/cloud-platform, because IAM is used to provide fine-grained
+ // permissions for Cloud.
+ // If you need to provide a scope, specify it as follows:
+ // const googleAuth = new GoogleAuth({ scopes: scope });
+ // For more information on scopes to use,
+ // see: https://developers.google.com/identity/protocols/oauth2/scopes
+
+ const storageOptions = {
+ projectId,
+ authClient: credential,
+ };
+
+ // Construct the Storage client.
+ const storage = new Storage(storageOptions);
+ const [buckets] = await storage.getBuckets();
+ console.log('Buckets:');
+
+ for (const bucket of buckets) {
+ console.log(`- ${bucket.name}`);
+ }
+
+ console.log('Listed all storage buckets.');
+ }
+
+ authenticateExplicit();
+ // [END auth_cloud_explicit_adc]
+}
+
+process.on('unhandledRejection', err => {
+ console.error(err.message);
+ process.exitCode = 1;
+});
+
+main(...process.argv.slice(2));
@@ -0,0 +1,60 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/**
+ * Shows credentials auto-detections in the intercation with GCP libraries
+ *
+ * @param {string} projectId - Project ID or project number of the Cloud project you want to use.
+ */
+function main(projectId) {
+ // [START auth_cloud_implicit_adc]
+ /**
+ * TODO(developer):
+ * 1. Uncomment and replace these variables before running the sample.
+ * 2. Set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc
+ * 3. Make sure you have the necessary permission to list storage buckets "storage.buckets.list"
+ * (https://cloud.google.com/storage/docs/access-control/iam-permissions#bucket_permissions)
+ */
+ // const projectId = 'YOUR_PROJECT_ID';
+
+ const {Storage} = require('@google-cloud/storage');
+
+ async function authenticateImplicitWithAdc() {
+ // This snippet demonstrates how to list buckets.
+ // NOTE: Replace the client created below with the client required for your application.
+ // Note that the credentials are not specified when constructing the client.
+ // The client library finds your credentials using ADC.
+ const storage = new Storage({
+ projectId,
+ });
+ const [buckets] = await storage.getBuckets();
+ console.log('Buckets:');
+
+ for (const bucket of buckets) {
+ console.log(`- ${bucket.name}`);
+ }
+
+ console.log('Listed all storage buckets.');
+ }
+
+ authenticateImplicitWithAdc();
+ // [END auth_cloud_implicit_adc]
+}
+
+process.on('unhandledRejection', err => {
+ console.error(err.message);
+ process.exitCode = 1;
+});
+
+main(...process.argv.slice(2));
@@ -0,0 +1,80 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/**
+ * Uses a service account (SA1) to impersonate as another service account (SA2) and obtain id token for the impersonated account.
+ * To obtain token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission on SA2.
+ *
+ * @param {string} scope - The scope that you might need to request to access Google APIs,
+ * depending on the level of access you need. For this example, we use the cloud-wide scope
+ * and use IAM to narrow the permissions: https://cloud.google.com/docs/authentication#authorization_for_services.
+ * For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes.
+ * @param {string} targetAudience - The service name for which the id token is requested. Service name refers to the
+ * logical identifier of an API service, such as "http://www.example.com".
+ * @param {string} impersonatedServiceAccount - The name of the privilege-bearing service account for whom
+ * the credential is created.
+ */
+function main(scope, targetAudience, impersonatedServiceAccount) {
+ // [START auth_cloud_idtoken_impersonated_credentials]
+ /**
+ * TODO(developer):
+ * 1. Uncomment and replace these variables before running the sample.
+ */
+ // const scope = 'https://www.googleapis.com/auth/cloud-platform';
+ // const targetAudience = 'http://www.example.com';
+ // const impersonatedServiceAccount = 'name@project.service.gserviceaccount.com';
+
+ const {GoogleAuth, Impersonated} = require('google-auth-library');
+
+ async function getIdTokenFromImpersonatedCredentials() {
+ const googleAuth = new GoogleAuth();
+
+ // Construct the GoogleCredentials object which obtains the default configuration from your
+ // working environment.
+ const {credential} = await googleAuth.getApplicationDefault();
+
+ // delegates: The chained list of delegates required to grant the final accessToken.
+ // For more information, see:
+ // https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions
+ // Delegate is NOT USED here.
+ const delegates = [];
+
+ // Create the impersonated credential.
+ const impersonatedCredentials = new Impersonated({
+ sourceClient: credential,
+ delegates,
+ targetPrincipal: impersonatedServiceAccount,
+ targetScopes: [scope],
+ lifetime: 300,
+ });
+
+ // Get the ID token.
+ // Once you've obtained the ID token, you can use it to make an authenticated call
+ // to the target audience.
+ await impersonatedCredentials.fetchIdToken(targetAudience, {
+ includeEmail: true,
+ });
+ console.log('Generated ID token.');
+ }
+
+ getIdTokenFromImpersonatedCredentials();
+ // [END auth_cloud_idtoken_impersonated_credentials]
+}
+
+process.on('unhandledRejection', err => {
+ console.error(err.message);
+ process.exitCode = 1;
+});
+
+main(...process.argv.slice(2));
@@ -0,0 +1,51 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/**
+ * Uses the Google Cloud metadata server environment to create an identity token
+ * and add it to the HTTP request as part of an Authorization header.
+ *
+ * @param {string} url - The url or target audience to obtain the ID token for.
+ */
+function main(url) {
+ // [START auth_cloud_idtoken_metadata_server]
+ /**
+ * TODO(developer):
+ * 1. Uncomment and replace these variables before running the sample.
+ */
+ // const url = 'http://www.example.com';
+
+ const {GoogleAuth} = require('google-auth-library');
+
+ async function getIdTokenFromMetadataServer() {
+ const googleAuth = new GoogleAuth();
+ const client = await googleAuth.getClient();
+
+ // Get the ID token.
+ // Once you've obtained the ID token, you can use it to make an authenticated call
+ // to the target audience.
+ await client.fetchIdToken(url);
+ console.log('Generated ID token.');
+ }
+
+ getIdTokenFromMetadataServer();
+ // [END auth_cloud_idtoken_metadata_server]
+}
+
+process.on('unhandledRejection', err => {
+ console.error(err.message);
+ process.exitCode = 1;
+});
+
+main(...process.argv.slice(2));
@@ -0,0 +1,60 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/**
+ * Obtains the id token by providing the target audience using service account credentials.
+ *
+ * @param {string} jsonCredentialsPath - Path to the service account json credential file.
+ * and use IAM to narrow the permissions: https://cloud.google.com/docs/authentication#authorization_for_services
+ * @param {string} targetAudience - The url or target audience to obtain the ID token for.
+ */
+function main(targetAudience, jsonCredentialsPath) {
+ // [START auth_cloud_idtoken_service_account]
+ /**
+ * TODO(developer):
+ * 1. Uncomment and replace these variables before running the sample.
+ */
+ // const jsonCredentialsPath = '/path/example';
+ // const targetAudience = 'http://www.example.com';
+
+ // Using service account keys introduces risk; they are long-lived, and can be used by anyone
+ // that obtains the key. Proper rotation and storage reduce this risk but do not eliminate it.
+ // For these reasons, you should consider an alternative approach that
+ // does not use a service account key. Several alternatives to service account keys
+ // are described here:
+ // https://cloud.google.com/docs/authentication/external/set-up-adc
+
+ const {auth} = require('google-auth-library');
+ const jsonConfig = require(jsonCredentialsPath);
+
+ async function getIdTokenFromServiceAccount() {
+ const client = auth.fromJSON(jsonConfig);
+
+ // Get the ID token.
+ // Once you've obtained the ID token, use it to make an authenticated call
+ // to the target audience.
+ await client.fetchIdToken(targetAudience);
+ console.log('Generated ID token.');
+ }
+
+ getIdTokenFromServiceAccount();
+ // [END auth_cloud_idtoken_service_account]
+}
+
+process.on('unhandledRejection', err => {
+ console.error(err.message);
+ process.exitCode = 1;
+});
+
+main(...process.argv.slice(2));
@@ -19,7 +19,7 @@
  },
  "dependencies": {
  "@google-cloud/storage": "^6.0.0",
- "google-auth-library": "^7.9.1",
+ "google-auth-library": "^8.4.0",
  "yargs": "^17.0.0"
  },
  "devDependencies": {