feat: add ImpersonatedAuthClient for service account impersonation via IAM Credentials API

demolaf · demolaf · commit 4772852d7062 · 2026-02-10T18:23:38.000+01:00
diff --git a/googleapis_auth/CHANGELOG.md b/googleapis_auth/CHANGELOG.md
@@ -1,8 +1,9 @@
 ## 2.1.0-wip
 - Add `serviceAccountCredentials` getter to AuthClient
 - Added parsing for project_id and universe_domain properties for ServiceAccountCredentials
-- Add `sign()` method to `ServiceAccountCredentials` for RSA-SHA256 signing
+- Add `sign()` method to ServiceAccountCredentials for RSA-SHA256 signing
 - Add `IAMSigner` class for signing via IAM Credentials API
+- Add `clientViaServiceAccountImpersonation()` function and `ImpersonatedAuthClient` class for service account impersonation via IAM Credentials API
 - Require `meta: ^1.0.2`
 - Require `sdk: ^3.9.0`
 - Drop unneeded `args` dependency.
diff --git a/googleapis_auth/lib/auth_io.dart b/googleapis_auth/lib/auth_io.dart
@@ -17,6 +17,7 @@ import 'src/service_account_credentials.dart';
 import 'src/typedefs.dart';
 
 export 'googleapis_auth.dart';
+export 'src/impersonated_auth_client.dart';
 export 'src/metadata_server_client.dart';
 export 'src/oauth2_flows/auth_code.dart'
     show obtainAccessCredentialsViaCodeExchange;
diff --git a/googleapis_auth/lib/src/iam_signer.dart b/googleapis_auth/lib/src/iam_signer.dart
@@ -17,8 +17,6 @@ import 'utils.dart';
 /// locally. Instead of signing locally, this class uses the IAM service to
 /// perform signing operations.
 ///
-/// Does not close the [http.Client] passed to the constructor.
-///
 /// See: https://docs.cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob
 ///
 /// Example usage:
@@ -45,7 +43,7 @@ import 'utils.dart';
 class IAMSigner {
   final http.Client _client;
   final String? _serviceAccountEmail;
-  final String _endpoint;
+  final String _universeDomain;
 
   String? _cachedEmail;
 
@@ -57,15 +55,15 @@ class IAMSigner {
   /// [serviceAccountEmail] is the optional service account email to use for
   /// signing. If not provided, it will be fetched from the GCE metadata server.
   ///
-  /// [endpoint] specifies the IAM Credentials API endpoint.
-  /// Defaults to `https://iamcredentials.googleapis.com`.
+  /// [universeDomain] specifies the universe domain for constructing the IAM
+  /// endpoint. Defaults to [defaultUniverseDomain].
   IAMSigner(
     http.Client client, {
     String? serviceAccountEmail,
-    String endpoint = 'https://iamcredentials.$defaultUniverseDomain',
+    String universeDomain = defaultUniverseDomain,
   }) : _client = client,
        _serviceAccountEmail = serviceAccountEmail,
-       _endpoint = endpoint;
+       _universeDomain = universeDomain;
 
   /// Returns the service account email.
   ///
@@ -110,7 +108,7 @@ class IAMSigner {
     final encodedEmail = Uri.encodeComponent(email);
 
     final signBlobUrl = Uri.parse(
-      '$_endpoint/v1/projects/-/serviceAccounts/$encodedEmail:signBlob',
+      'https://iamcredentials.$_universeDomain/v1/projects/-/serviceAccounts/$encodedEmail:signBlob',
     );
 
     final requestBody = jsonEncode({'payload': base64Encode(data)});
@@ -123,12 +121,15 @@ class IAMSigner {
       'Failed to sign blob via IAM.',
     );
 
-    return switch (responseJson) {
-      {'signedBlob': final String signedBlob} => signedBlob,
-      _ => throw ServerRequestFailedException(
+    final signedBlob = responseJson['signedBlob'] as String?;
+
+    if (signedBlob == null) {
+      throw ServerRequestFailedException(
         'IAM signBlob response missing signedBlob field.',
         responseContent: responseJson,
-      ),
-    };
+      );
+    }
+
+    return signedBlob;
   }
 }
diff --git a/googleapis_auth/lib/src/impersonated_auth_client.dart b/googleapis_auth/lib/src/impersonated_auth_client.dart
@@ -0,0 +1,223 @@
+// Copyright (c) 2026, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+import 'dart:convert';
+
+import 'package:http/http.dart' as http;
+
+import 'auth_functions.dart';
+import 'auth_http_utils.dart';
+import 'iam_signer.dart';
+import 'service_account_credentials.dart';
+import 'utils.dart';
+
+/// Obtains oauth2 credentials by impersonating a service account via IAM API.
+///
+/// Uses a source credential to call the IAM Credentials API to obtain access
+/// tokens and sign data as a target service account.
+///
+/// See: https://cloud.google.com/iam/docs/create-short-lived-credentials-direct
+///
+/// {@macro googleapis_auth_client_for_creds}
+///
+/// The source client must have the `roles/iam.serviceAccountTokenCreator` role
+/// on the target service account.
+///
+/// Example:
+/// ```dart
+/// // Get source client
+/// final sourceClient = await clientViaServiceAccount(credentials, scopes);
+///
+/// // Create impersonated client
+/// final impersonated = await clientViaServiceAccountImpersonation(
+///   sourceClient: sourceClient,
+///   targetServiceAccount: 'target@project.iam.gserviceaccount.com',
+///   targetScopes: ['https://www.googleapis.com/auth/cloud-platform'],
+/// );
+///
+/// // Make authenticated requests
+/// await impersonated.get(Uri.parse('https://...'));
+///
+/// // Sign data as the impersonated account
+/// final signature = await impersonated.sign([1, 2, 3, 4, 5]);
+///
+/// // Explicitly generate a new access token
+/// final token = await impersonated.generateAccessToken();
+/// ```
+Future<ImpersonatedAuthClient> clientViaServiceAccountImpersonation({
+  required AuthClient sourceClient,
+  required String targetServiceAccount,
+  required List<String> targetScopes,
+  List<String>? delegates,
+  String universeDomain = defaultUniverseDomain,
+  Duration lifetime = const Duration(hours: 1),
+}) async {
+  final impersonatedClient = ImpersonatedAuthClient(
+    sourceClient: sourceClient,
+    targetServiceAccount: targetServiceAccount,
+    targetScopes: targetScopes,
+    delegates: delegates,
+    universeDomain: universeDomain,
+    lifetime: lifetime,
+  );
+
+  // Generate initial credentials
+  try {
+    final credentials = await impersonatedClient.generateAccessToken();
+    impersonatedClient._credentials = credentials;
+    return impersonatedClient;
+  } catch (e) {
+    impersonatedClient.close();
+    rethrow;
+  }
+}
+
+/// An authenticated HTTP client that impersonates a service account.
+///
+/// This client allows a source credential to act as a different service account
+/// through Google's IAM Credentials API. It supports:
+/// - Auto-refreshing access tokens
+/// - Signing data as the impersonated account
+/// - Delegation chains for multi-hop impersonation
+/// - Custom universe domains
+class ImpersonatedAuthClient extends AutoRefreshDelegatingClient {
+  final AuthClient _sourceClient;
+  final String _targetServiceAccount;
+  final List<String> _targetScopes;
+  final List<String>? _delegates;
+  final String _universeDomain;
+  final Duration _lifetime;
+
+  AccessCredentials _credentials;
+  http.Client? _authClient;
+
+  /// Creates an [ImpersonatedAuthClient] instance.
+  ///
+  /// [sourceClient] is the authenticated client used to make IAM API requests.
+  ///
+  /// [targetServiceAccount] is the email of the service account to impersonate.
+  ///
+  /// [targetScopes] are the OAuth2 scopes to request for the impersonated
+  /// service account.
+  ///
+  /// [delegates] is an optional list of service accounts in a delegation chain.
+  /// Each service account must be granted `roles/iam.serviceAccountTokenCreator`
+  /// on the next service account in the chain.
+  ///
+  /// [universeDomain] specifies the universe domain for constructing the IAM
+  /// endpoint. Defaults to [defaultUniverseDomain].
+  ///
+  /// [lifetime] specifies how long the access token should be valid. Defaults
+  /// to 3600 seconds (1 hour). Maximum is 43200 seconds (12 hours).
+  ImpersonatedAuthClient({
+    required AuthClient sourceClient,
+    required String targetServiceAccount,
+    required List<String> targetScopes,
+    List<String>? delegates,
+    String universeDomain = defaultUniverseDomain,
+    Duration lifetime = const Duration(hours: 1),
+  }) : _sourceClient = sourceClient,
+       _targetServiceAccount = targetServiceAccount,
+       _targetScopes = List.unmodifiable(targetScopes),
+       _delegates = delegates != null ? List.unmodifiable(delegates) : null,
+       _universeDomain = universeDomain,
+       _lifetime = lifetime,
+       _credentials = AccessCredentials(
+         AccessToken('Bearer', '', DateTime.now().toUtc()),
+         null,
+         targetScopes,
+       ),
+       super(sourceClient as http.Client, closeUnderlyingClient: false);
+
+  /// The email of the target service account being impersonated.
+  String get targetServiceAccount => _targetServiceAccount;
+
+  @override
+  AccessCredentials get credentials => _credentials;
+
+  @override
+  ServiceAccountCredentials? get serviceAccountCredentials => null;
+
+  /// Generates a new access token for the impersonated service account.
+  ///
+  /// This method calls the IAM Credentials API generateAccessToken endpoint
+  /// to obtain a new access token. The token will be valid for the duration
+  /// specified when the client was created.
+  ///
+  /// Returns [AccessCredentials] containing the new access token.
+  ///
+  /// Throws [ServerRequestFailedException] if the request fails.
+  Future<AccessCredentials> generateAccessToken() async {
+    final encodedEmail = Uri.encodeComponent(_targetServiceAccount);
+    final tokenUrl = Uri.parse(
+      'https://iamcredentials.$_universeDomain/v1/projects/-/serviceAccounts/$encodedEmail:generateAccessToken',
+    );
+
+    final requestBody = jsonEncode({
+      'scope': _targetScopes,
+      if (_delegates != null) 'delegates': _delegates,
+      'lifetime': '${_lifetime.inSeconds}s',
+    });
+
+    final request = http.Request('POST', tokenUrl)
+      ..headers['Content-Type'] = 'application/json'
+      ..body = requestBody;
+
+    final responseJson = await _sourceClient.requestJson(
+      request,
+      'Failed to generate access token for impersonated service account.',
+    );
+
+    final accessToken = responseJson['accessToken'] as String?;
+    final expireTime = responseJson['expireTime'] as String?;
+
+    if (accessToken == null || expireTime == null) {
+      throw ServerRequestFailedException(
+        'IAM generateAccessToken response missing required fields.',
+        responseContent: responseJson,
+      );
+    }
+
+    // Parse RFC 3339 timestamp
+    final expiry = DateTime.parse(expireTime);
+
+    return AccessCredentials(
+      AccessToken('Bearer', accessToken, expiry),
+      null,
+      _targetScopes,
+    );
+  }
+
+  /// Signs the given [data] using the IAM Credentials API.
+  ///
+  /// This method calls the IAM Credentials API signBlob endpoint to sign data
+  /// as the impersonated service account.
+  ///
+  /// Returns the signature as a String
+  ///
+  /// Throws [ServerRequestFailedException] if the signing operation fails.
+  ///
+  /// See: https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob
+  Future<String> sign(List<int> data) {
+    final signer = IAMSigner(
+      _sourceClient,
+      serviceAccountEmail: _targetServiceAccount,
+      universeDomain: _universeDomain,
+    );
+    return signer.sign(data);
+  }
+
+  @override
+  Future<http.StreamedResponse> send(http.BaseRequest request) async {
+    if (_credentials.accessToken.hasExpired) {
+      final newCredentials = await generateAccessToken();
+      notifyAboutNewCredentials(newCredentials);
+      _credentials = newCredentials;
+      _authClient = authenticatedClient(baseClient, _credentials);
+    }
+
+    _authClient ??= authenticatedClient(baseClient, _credentials);
+    return _authClient!.send(request);
+  }
+}
diff --git a/googleapis_auth/lib/src/oauth2_flows/metadata_server.dart b/googleapis_auth/lib/src/oauth2_flows/metadata_server.dart
@@ -21,6 +21,8 @@ class MetadataServerAuthorizationFlow extends BaseFlow {
   static const _serviceAccountUrlInfix =
       'computeMetadata/v1/instance/service-accounts';
 
+  // https://cloud.google.com/compute/docs/storing-retrieving-metadata#querying
+
   final String email;
   final Uri _scopesUrl;
   final Uri _tokenUrl;
diff --git a/googleapis_auth/lib/src/utils.dart b/googleapis_auth/lib/src/utils.dart
@@ -18,7 +18,6 @@ const maxExpectedTimeDiffInSeconds = 20;
 
 // Metadata server constants
 const metadataFlavorHeader = {'Metadata-Flavor': 'Google'};
-// - https://cloud.google.com/compute/docs/storing-retrieving-metadata#querying
 const defaultMetadataHost = 'metadata.google.internal';
 const gceMetadataHostEnvVar = 'GCE_METADATA_HOST';
 
diff --git a/googleapis_auth/test/iam_signer_test.dart b/googleapis_auth/test/iam_signer_test.dart
@@ -161,7 +161,7 @@ void main() {
       expect(signature, equals(base64Encode([99, 88, 77])));
     });
 
-    test('sign with custom endpoint', () async {
+    test('sign with custom universe domain', () async {
       final mockClient = MockClient(
         expectAsync1((request) async {
           if (request.method == 'POST') {
@@ -187,7 +187,7 @@ void main() {
       final signer = IAMSigner(
         mockClient,
         serviceAccountEmail: 'custom@example.iam.gserviceaccount.com',
-        endpoint: 'https://iamcredentials.example.com',
+        universeDomain: 'example.com',
       );
 
       final signature = await signer.sign([5, 6, 7]);
diff --git a/googleapis_auth/test/impersonated_auth_client_test.dart b/googleapis_auth/test/impersonated_auth_client_test.dart
