-
Notifications
You must be signed in to change notification settings - Fork 384
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d8508cb
commit 137883a
Showing
9 changed files
with
583 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| // Copyright 2022 Google LLC | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| /** | ||
| * Lists storage buckets by authenticating with ADC. | ||
| */ | ||
| function main() { | ||
| // [START auth_cloud_explicit_adc] | ||
| /** | ||
| * TODO(developer): | ||
| * 1. Set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc | ||
| * 2. Make sure you have the necessary permission to list storage buckets "storage.buckets.list" | ||
| */ | ||
|
|
||
| const {GoogleAuth} = require('google-auth-library'); | ||
| const {Storage} = require('@google-cloud/storage'); | ||
|
|
||
| async function authenticateExplicit() { | ||
| const googleAuth = new GoogleAuth({ | ||
| scopes: 'https://www.googleapis.com/auth/cloud-platform', | ||
| }); | ||
|
|
||
| // Construct the Google credentials object which obtains the default configuration from your | ||
| // working environment. | ||
| // googleAuth.getApplicationDefault() will give you ComputeEngineCredentials | ||
| // if you are on a GCE (or other metadata server supported environments). | ||
| const {credential, projectId} = await googleAuth.getApplicationDefault(); | ||
| // If you are authenticating to a Cloud API, you can let the library include the default scope, | ||
| // https://www.googleapis.com/auth/cloud-platform, because IAM is used to provide fine-grained | ||
| // permissions for Cloud. | ||
| // If you need to provide a scope, specify it as follows: | ||
| // const googleAuth = new GoogleAuth({ scopes: scope }); | ||
| // For more information on scopes to use, | ||
| // see: https://developers.google.com/identity/protocols/oauth2/scopes | ||
|
|
||
| const storageOptions = { | ||
| projectId, | ||
| authClient: credential, | ||
| }; | ||
|
|
||
| // Construct the Storage client. | ||
| const storage = new Storage(storageOptions); | ||
| const [buckets] = await storage.getBuckets(); | ||
| console.log('Buckets:'); | ||
|
|
||
| for (const bucket of buckets) { | ||
| console.log(`- ${bucket.name}`); | ||
| } | ||
|
|
||
| console.log('Listed all storage buckets.'); | ||
| } | ||
|
|
||
| authenticateExplicit(); | ||
| // [END auth_cloud_explicit_adc] | ||
| } | ||
|
|
||
| process.on('unhandledRejection', err => { | ||
| console.error(err.message); | ||
| process.exitCode = 1; | ||
| }); | ||
|
|
||
| main(...process.argv.slice(2)); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| // Copyright 2022 Google LLC | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| /** | ||
| * Shows credentials auto-detections in the intercation with GCP libraries | ||
| * | ||
| * @param {string} projectId - Project ID or project number of the Cloud project you want to use. | ||
| */ | ||
| function main(projectId) { | ||
| // [START auth_cloud_implicit_adc] | ||
| /** | ||
| * TODO(developer): | ||
| * 1. Uncomment and replace these variables before running the sample. | ||
| * 2. Set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc | ||
| * 3. Make sure you have the necessary permission to list storage buckets "storage.buckets.list" | ||
| * (https://cloud.google.com/storage/docs/access-control/iam-permissions#bucket_permissions) | ||
| */ | ||
| // const projectId = 'YOUR_PROJECT_ID'; | ||
|
|
||
| const {Storage} = require('@google-cloud/storage'); | ||
|
|
||
| async function authenticateImplicitWithAdc() { | ||
| // This snippet demonstrates how to list buckets. | ||
| // NOTE: Replace the client created below with the client required for your application. | ||
| // Note that the credentials are not specified when constructing the client. | ||
| // The client library finds your credentials using ADC. | ||
| const storage = new Storage({ | ||
| projectId, | ||
| }); | ||
| const [buckets] = await storage.getBuckets(); | ||
| console.log('Buckets:'); | ||
|
|
||
| for (const bucket of buckets) { | ||
| console.log(`- ${bucket.name}`); | ||
| } | ||
|
|
||
| console.log('Listed all storage buckets.'); | ||
| } | ||
|
|
||
| authenticateImplicitWithAdc(); | ||
| // [END auth_cloud_implicit_adc] | ||
| } | ||
|
|
||
| process.on('unhandledRejection', err => { | ||
| console.error(err.message); | ||
| process.exitCode = 1; | ||
| }); | ||
|
|
||
| main(...process.argv.slice(2)); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| // Copyright 2022 Google LLC | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| /** | ||
| * Uses a service account (SA1) to impersonate as another service account (SA2) and obtain id token for the impersonated account. | ||
| * To obtain token for SA2, SA1 should have the "roles/iam.serviceAccountTokenCreator" permission on SA2. | ||
| * | ||
| * @param {string} scope - The scope that you might need to request to access Google APIs, | ||
| * depending on the level of access you need. For this example, we use the cloud-wide scope | ||
| * and use IAM to narrow the permissions: https://cloud.google.com/docs/authentication#authorization_for_services. | ||
| * For more information, see: https://developers.google.com/identity/protocols/oauth2/scopes. | ||
| * @param {string} targetAudience - The service name for which the id token is requested. Service name refers to the | ||
| * logical identifier of an API service, such as "http://www.example.com". | ||
| * @param {string} impersonatedServiceAccount - The name of the privilege-bearing service account for whom | ||
| * the credential is created. | ||
| */ | ||
| function main(scope, targetAudience, impersonatedServiceAccount) { | ||
| // [START auth_cloud_idtoken_impersonated_credentials] | ||
| /** | ||
| * TODO(developer): | ||
| * 1. Uncomment and replace these variables before running the sample. | ||
| */ | ||
| // const scope = 'https://www.googleapis.com/auth/cloud-platform'; | ||
| // const targetAudience = 'http://www.example.com'; | ||
| // const impersonatedServiceAccount = '[email protected]'; | ||
|
|
||
| const {GoogleAuth, Impersonated} = require('google-auth-library'); | ||
|
|
||
| async function getIdTokenFromImpersonatedCredentials() { | ||
| const googleAuth = new GoogleAuth(); | ||
|
|
||
| // Construct the GoogleCredentials object which obtains the default configuration from your | ||
| // working environment. | ||
| const {credential} = await googleAuth.getApplicationDefault(); | ||
|
|
||
| // delegates: The chained list of delegates required to grant the final accessToken. | ||
| // For more information, see: | ||
| // https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-permissions | ||
| // Delegate is NOT USED here. | ||
| const delegates = []; | ||
|
|
||
| // Create the impersonated credential. | ||
| const impersonatedCredentials = new Impersonated({ | ||
| sourceClient: credential, | ||
| delegates, | ||
| targetPrincipal: impersonatedServiceAccount, | ||
| targetScopes: [scope], | ||
| lifetime: 300, | ||
| }); | ||
|
|
||
| // Get the ID token. | ||
| // Once you've obtained the ID token, you can use it to make an authenticated call | ||
| // to the target audience. | ||
| await impersonatedCredentials.fetchIdToken(targetAudience, { | ||
| includeEmail: true, | ||
| }); | ||
| console.log('Generated ID token.'); | ||
| } | ||
|
|
||
| getIdTokenFromImpersonatedCredentials(); | ||
| // [END auth_cloud_idtoken_impersonated_credentials] | ||
| } | ||
|
|
||
| process.on('unhandledRejection', err => { | ||
| console.error(err.message); | ||
| process.exitCode = 1; | ||
| }); | ||
|
|
||
| main(...process.argv.slice(2)); |
Oops, something went wrong.