Instantiate a BaseExternalAccountClient instance using the provided JSON object loaded from an external account credentials file.
The external account options object typically loaded from the external account JSON credential file. The camelCased options are aliases for the snake_cased options.
DEPRECATED, all options are available in the
options parameter. Optional additional behavior customization options.
These currently customize expiration threshold time and whether to retry
on 401/403 API request errors.
The quota project ID. The quota project can be used by client libraries for the billing purpose. See Working with quotas
OAuth scopes for the GCP access token to use. When not provided, the default https://www.googleapis.com/auth/cloud-platform is used.
A promise that resolves with the current GCP access token response. If the current credential is expired, a new one is retrieved.
A promise that resolves with the project ID corresponding to the
current workload identity pool or current workforce pool if
determinable. For workforce pool credential, it returns the project ID
corresponding to the workforcePoolUserProject.
This is introduced to match the current pattern of using the Auth
library:
const projectId = await auth.getProjectId();
const url = https://dns.googleapis.com/dns/v1/projects/${projectId};
const res = await client.request({ url });
The resource may not have permission
(resourcemanager.projects.get) to call this API or the required
scopes may not be selected:
https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes
The main authentication interface. It takes an optional url which when present is the endpoint being accessed, and returns a Promise which resolves with authorization header fields.
The result has the form:
{ Authorization: 'Bearer
The service account email to be impersonated, if available.
Subscribes a listener to the tokens event triggered when a token is generated.
Provides a request implementation with OAuth 2.0 flow. In cases of HTTP 401 and 403 responses, it automatically asks for a new access token and replays the unsuccessful request.
Request options.
A promise that resolves with the HTTP response when no callback is provided.
Triggered when a external subject token is needed to be exchanged for a GCP access token via GCP STS endpoint. This abstract method needs to be implemented by subclasses depending on the type of external credential used.
A promise that resolves with the external subject token.
Provides a mechanism to inject GCP access tokens directly. When the provided credential expires, a new credential, using the external account options, is retrieved.
The Credentials object to set on the current client.
Base external account client. This is used to instantiate AuthClients for exchanging external account credentials for GCP access token and authorizing requests to GCP APIs. The base class implements common logic for exchanging various type of external credentials for GCP access token. The logic of determining and retrieving the external credential based on the environment and credential_source will be left for the subclasses.