link

node_modules/google-auth-library/build/src/auth/awsclient.d.ts

@@ -0,0 +1,120 @@
+import { AwsSecurityCredentials } from './awsrequestsigner';
+import { BaseExternalAccountClient, BaseExternalAccountClientOptions, ExternalAccountSupplierContext } from './baseexternalclient';
+import { AuthClientOptions } from './authclient';
+import { SnakeToCamelObject } from '../util';
+/**
+ * AWS credentials JSON interface. This is used for AWS workloads.
+ */
+export interface AwsClientOptions extends BaseExternalAccountClientOptions {
+    /**
+     * Object containing options to retrieve AWS security credentials. A valid credential
+     * source or a aws security credentials supplier should be specified.
+     */
+    credential_source?: {
+        /**
+         * AWS environment ID. Currently only 'AWS1' is supported.
+         */
+        environment_id: string;
+        /**
+         * The EC2 metadata URL to retrieve the current AWS region from. If this is
+         * not provided, the region should be present in the AWS_REGION or AWS_DEFAULT_REGION
+         * environment variables.
+         */
+        region_url?: string;
+        /**
+         * The EC2 metadata URL to retrieve AWS security credentials. If this is not provided,
+         * the credentials should be present in the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY,
+         * and AWS_SESSION_TOKEN environment variables.
+         */
+        url?: string;
+        /**
+         * The regional GetCallerIdentity action URL, used to determine the account
+         * ID and its roles.
+         */
+        regional_cred_verification_url: string;
+        /**
+         *  The imdsv2 session token url is used to fetch session token from AWS
+         *  which is later sent through headers for metadata requests. If the
+         *  field is missing, then session token won't be fetched and sent with
+         *  the metadata requests.
+         *  The session token is required for IMDSv2 but optional for IMDSv1
+         */
+        imdsv2_session_token_url?: string;
+    };
+    /**
+     * The AWS security credentials supplier to call to retrieve the AWS region
+     * and AWS security credentials. Either this or a valid credential source
+     * must be specified.
+     */
+    aws_security_credentials_supplier?: AwsSecurityCredentialsSupplier;
+}
+/**
+ * Supplier interface for AWS security credentials. This can be implemented to
+ * return an AWS region and AWS security credentials. These credentials can
+ * then be exchanged for a GCP token by an {@link AwsClient}.
+ */
+export interface AwsSecurityCredentialsSupplier {
+    /**
+     * Gets the active AWS region.
+     * @param context {@link ExternalAccountSupplierContext} from the calling
+     *   {@link AwsClient}, contains the requested audience and subject token type
+     *   for the external account identity as well as the transport from the
+     *   calling client to use for requests.
+     * @return A promise that resolves with the AWS region string.
+     */
+    getAwsRegion: (context: ExternalAccountSupplierContext) => Promise<string>;
+    /**
+     * Gets valid AWS security credentials for the requested external account
+     * identity. Note that these are not cached by the calling {@link AwsClient},
+     * so caching should be including in the implementation.
+     * @param context {@link ExternalAccountSupplierContext} from the calling
+     *   {@link AwsClient}, contains the requested audience and subject token type
+     *   for the external account identity as well as the transport from the
+     *   calling client to use for requests.
+     * @return A promise that resolves with the requested {@link AwsSecurityCredentials}.
+     */
+    getAwsSecurityCredentials: (context: ExternalAccountSupplierContext) => Promise<AwsSecurityCredentials>;
+}
+/**
+ * AWS external account client. This is used for AWS workloads, where
+ * AWS STS GetCallerIdentity serialized signed requests are exchanged for
+ * GCP access token.
+ */
+export declare class AwsClient extends BaseExternalAccountClient {
+    #private;
+    private readonly environmentId?;
+    private readonly awsSecurityCredentialsSupplier;
+    private readonly regionalCredVerificationUrl;
+    private awsRequestSigner;
+    private region;
+    /**
+     * @deprecated AWS client no validates the EC2 metadata address.
+     **/
+    static AWS_EC2_METADATA_IPV4_ADDRESS: string;
+    /**
+     * @deprecated AWS client no validates the EC2 metadata address.
+     **/
+    static AWS_EC2_METADATA_IPV6_ADDRESS: string;
+    /**
+     * Instantiates an AwsClient instance using the provided JSON
+     * object loaded from an external account credentials file.
+     * An error is thrown if the credential is not a valid AWS credential.
+     * @param options The external account options object typically loaded
+     *   from the external account JSON credential file.
+     * @param additionalOptions **DEPRECATED, all options are available in the
+     *   `options` parameter.** Optional additional behavior customization options.
+     *   These currently customize expiration threshold time and whether to retry
+     *   on 401/403 API request errors.
+     */
+    constructor(options: AwsClientOptions | SnakeToCamelObject<AwsClientOptions>, additionalOptions?: AuthClientOptions);
+    private validateEnvironmentId;
+    /**
+     * Triggered when an external subject token is needed to be exchanged for a
+     * GCP access token via GCP STS endpoint. This will call the
+     * {@link AwsSecurityCredentialsSupplier} to retrieve an AWS region and AWS
+     * Security Credentials, then use them to create a signed AWS STS request that
+     * can be exchanged for a GCP access token.
+     * @return A promise that resolves with the external subject token.
+     */
+    retrieveSubjectToken(): Promise<string>;
+}