Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement ImpersonatedCredentials #535

Closed
salrashid123 opened this issue Nov 19, 2018 · 1 comment · Fixed by #1207
Closed

Implement ImpersonatedCredentials #535

salrashid123 opened this issue Nov 19, 2018 · 1 comment · Fixed by #1207
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@salrashid123
Copy link
Contributor

salrashid123 commented Nov 19, 2018
edited
Loading

Allows one user or service account to impersonate another using iamcredentials api

its already implemented or pending for several other languages:

--

here's what i've done so far:
@JustinBeckwith JustinBeckwith added the type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. label Nov 19, 2018
@salrashid123
Copy link
Contributor Author

imersonatedclient.ts from comment#1 does work directly through an authorizedClient.requestAsync() but it looks like there isnt' an easy way to pass in a generic credential or authorizedClient into something like a Storage client.

That is, the following works:

function getComputeClient() {
  let client = new Compute({
    serviceAccountEmail: '1071284184436-compute@developer.gserviceaccount.com'
  });
  return client;  
}

function  getServiceAccountClient() {

  const credFile = './mineral-minutia-820-83b3ce7dcddb.json';
  const keys = require(credFile);

  let client = new JWT(
    keys.client_email,
    null,
    keys.private_key,
    ['https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/iam'],
  );
  return client;
}

      let {Impersonated} = require('./build/src/auth/impersonatedclient.js');    
      let targetClient = new Impersonated({
        sourceClient: getServiceAccountClient(),
        targetPrincipal: "impersonated-account@fabled-ray-104117.iam.gserviceaccount.com",
        lifetime: 30,
        delegates: [],
        targetScopes: ["https://www.googleapis.com/auth/devstorage.read_only"]
      });

      targetClient.getAccessToken().then(res => {
          let project_id = 'fabled-ray-104117';  
          let url = 'https://www.googleapis.com/storage/v1/b?project=' + project_id
          targetClient.requestAsync({url}).then(resp => {
            console.log(resp.data.items[0]);
          }).catch(function (error) {
            console.error('Unable to list buckets: ' + error);
          });

what doesn't work is if i try to pass in the impersonatedClient or its credential into Storage:

          const {Storage} = require('@google-cloud/storage');          
          let storage = new Storage({
              projectId: project_id,
              //authClient: targetClient.authClient      << I dind't see this as a valid argument anyway.
              //credentials: targetClient.credentials    << assumes the credentials is `JWT`
          });
          const [buckets] =  storage.getBuckets(function(err, buckets) {
              if (err) {
                console.log(err);
              }
              if (!err) {
                buckets.forEach(function(value){
                    console.log(value.id);
                });
              }
          });

@salrashid123 salrashid123 mentioned this issue Nov 25, 2018
Closed
@salrashid123 salrashid123 mentioned this issue Aug 29, 2019
Closed
@bcoe bcoe mentioned this issue Jul 7, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
2 participants
@JustinBeckwith @salrashid123