[googleapis_auth] feat: Add IAMSigner for signing via IAM Credentials API (#710)

Author: demolaf

googleapis_auth/CHANGELOG.md

@@ -2,6 +2,7 @@
 - Add `serviceAccountCredentials` getter to AuthClient
 - Added parsing for project_id and universe_domain properties for ServiceAccountCredentials
 - Add `sign()` method to `ServiceAccountCredentials` for RSA-SHA256 signing
+- Add `IAMSigner` class for signing via IAM Credentials API
 - Require `meta: ^1.0.2`
 - Require `sdk: ^3.9.0`
 - Drop unneeded `args` dependency.

googleapis_auth/lib/googleapis_auth.dart

@@ -31,5 +31,6 @@ export 'src/auth_functions.dart';
 export 'src/client_id.dart';
 export 'src/crypto/rsa.dart' show RSAPrivateKey;
 export 'src/exceptions.dart';
+export 'src/iam_signer.dart';
 export 'src/response_type.dart';
 export 'src/service_account_credentials.dart';

googleapis_auth/lib/src/iam_signer.dart

@@ -0,0 +1,134 @@
+// Copyright (c) 2026, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+import 'dart:convert';
+import 'dart:io';
+
+import 'package:http/http.dart' as http;
+
+import 'exceptions.dart';
+import 'utils.dart';
+
+/// Signs data using the IAM Credentials API's signBlob endpoint.
+///
+/// This is useful when running on Cloud Run or Google Compute Engine with
+/// Application Default Credentials, where there's no private key available
+/// locally. Instead of signing locally, this class uses the IAM service to
+/// perform signing operations.
+///
+/// Does not close the [http.Client] passed to the constructor.
+///
+/// See: https://docs.cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob
+///
+/// Example usage:
+/// ```dart
+/// import 'dart:convert';
+/// import 'package:googleapis_auth/googleapis_auth.dart';
+///
+/// // Get an authenticated client (e.g., via metadata server)
+/// final authClient = await clientViaMetadataServer();
+///
+/// // Create an IAMSigner with explicit service account email
+/// final signer = IAMSigner(
+///   authClient,
+///   serviceAccountEmail: 'my-service@project.iam.gserviceaccount.com',
+/// );
+///
+/// // Or let it fetch the email from metadata server
+/// final signer = IAMSigner(authClient);
+///
+/// // Sign some data
+/// final data = utf8.encode('data to sign');
+/// final signature = await signer.sign(data);
+/// ```
+class IAMSigner {
+  final http.Client _client;
+  final String? _serviceAccountEmail;
+  final String _endpoint;
+
+  String? _cachedEmail;
+
+  /// Creates an [IAMSigner] instance.
+  ///
+  /// [client] is used for making HTTP requests to the metadata server and
+  /// IAM API.
+  ///
+  /// [serviceAccountEmail] is the optional service account email to use for
+  /// signing. If not provided, it will be fetched from the GCE metadata server.
+  ///
+  /// [endpoint] specifies the IAM Credentials API endpoint.
+  /// Defaults to `https://iamcredentials.googleapis.com`.
+  IAMSigner(
+    http.Client client, {
+    String? serviceAccountEmail,
+    String endpoint = 'https://iamcredentials.$defaultUniverseDomain',
+  }) : _client = client,
+       _serviceAccountEmail = serviceAccountEmail,
+       _endpoint = endpoint;
+
+  /// Returns the service account email.
+  ///
+  /// If an email was provided in the constructor, returns that email.
+  /// Otherwise, queries the GCE metadata server to retrieve the default
+  /// service account email.
+  Future<String> getServiceAccountEmail() async {
+    if (_serviceAccountEmail != null) {
+      return _serviceAccountEmail;
+    }
+
+    if (_cachedEmail != null) {
+      return _cachedEmail!;
+    }
+
+    final metadataHost =
+        Platform.environment[gceMetadataHostEnvVar] ?? defaultMetadataHost;
+    final emailUrl = Uri.parse(
+      'http://$metadataHost/computeMetadata/v1/instance/service-accounts/default/email',
+    );
+
+    final response = await _client.get(emailUrl, headers: metadataFlavorHeader);
+    if (response.statusCode != 200) {
+      throw ServerRequestFailedException(
+        'Failed to get service account email from metadata server.',
+        statusCode: response.statusCode,
+        responseContent: response.body,
+      );
+    }
+
+    _cachedEmail = response.body.trim();
+    return _cachedEmail!;
+  }
+
+  /// Signs the given [data] using the IAM Credentials API.
+  ///
+  /// Returns the signature as a String (base64-encoded).
+  ///
+  /// Throws a [ServerRequestFailedException] if the signing operation fails.
+  Future<String> sign(List<int> data) async {
+    final email = await getServiceAccountEmail();
+    final encodedEmail = Uri.encodeComponent(email);
+
+    final signBlobUrl = Uri.parse(
+      '$_endpoint/v1/projects/-/serviceAccounts/$encodedEmail:signBlob',
+    );
+
+    final requestBody = jsonEncode({'payload': base64Encode(data)});
+    final request = http.Request('POST', signBlobUrl)
+      ..headers['Content-Type'] = 'application/json'
+      ..body = requestBody;
+
+    final responseJson = await _client.requestJson(
+      request,
+      'Failed to sign blob via IAM.',
+    );
+
+    return switch (responseJson) {
+      {'signedBlob': final String signedBlob} => signedBlob,
+      _ => throw ServerRequestFailedException(
+        'IAM signBlob response missing signedBlob field.',
+        responseContent: responseJson,
+      ),
+    };
+  }
+}

googleapis_auth/lib/src/oauth2_flows/metadata_server.dart

@@ -18,12 +18,8 @@ import 'base_flow.dart';
 /// metadata server, looking first for one set in the environment under
 /// `$GCE_METADATA_HOST`.
 class MetadataServerAuthorizationFlow extends BaseFlow {
-  static const _headers = {'Metadata-Flavor': 'Google'};
   static const _serviceAccountUrlInfix =
       'computeMetadata/v1/instance/service-accounts';
-  // https://cloud.google.com/compute/docs/storing-retrieving-metadata#querying
-  static const _defaultMetadataHost = 'metadata.google.internal';
-  static const _gceMetadataHostEnvVar = 'GCE_METADATA_HOST';
 
   final String email;
   final Uri _scopesUrl;
@@ -37,7 +33,7 @@ class MetadataServerAuthorizationFlow extends BaseFlow {
     final encodedEmail = Uri.encodeComponent(email);
 
     final metadataHost =
-        Platform.environment[_gceMetadataHostEnvVar] ?? _defaultMetadataHost;
+        Platform.environment[gceMetadataHostEnvVar] ?? defaultMetadataHost;
     final serviceAccountPrefix =
         'http://$metadataHost/$_serviceAccountUrlInfix';
 
@@ -62,7 +58,7 @@ class MetadataServerAuthorizationFlow extends BaseFlow {
   Future<AccessCredentials> run() async {
     final results = await Future.wait([
       _client.requestJson(
-        http.Request('GET', _tokenUrl)..headers.addAll(_headers),
+        http.Request('GET', _tokenUrl)..headers.addAll(metadataFlavorHeader),
         'Failed to obtain access credentials.',
       ),
       _getScopes(),
@@ -80,7 +76,10 @@ class MetadataServerAuthorizationFlow extends BaseFlow {
   }
 
   Future<String> _getScopes() async {
-    final response = await _client.get(_scopesUrl, headers: _headers);
+    final response = await _client.get(
+      _scopesUrl,
+      headers: metadataFlavorHeader,
+    );
     return response.body;
   }
 }

googleapis_auth/lib/src/service_account_credentials.dart

@@ -9,6 +9,7 @@ import 'client_id.dart';
 import 'crypto/pem.dart';
 import 'crypto/rsa.dart';
 import 'crypto/rsa_sign.dart';
+import 'utils.dart';
 
 export 'access_credentials.dart' show AccessCredentials;
 export 'access_token.dart' show AccessToken;
@@ -36,7 +37,7 @@ class ServiceAccountCredentials {
 
   /// The universe domain for this service account.
   ///
-  /// Defaults to 'googleapis.com' if not specified in the JSON file.
+  /// Defaults to [defaultUniverseDomain] if not specified in the JSON file.
   /// Used to construct correct API endpoints for non-default universe domains
   /// (e.g., Government Cloud or other isolated environments).
   final String universeDomain;
@@ -66,7 +67,7 @@ class ServiceAccountCredentials {
     final type = json['type'];
     final projectId = json['project_id'] as String?;
     final universeDomain =
-        json['universe_domain'] as String? ?? 'googleapis.com';
+        json['universe_domain'] as String? ?? defaultUniverseDomain;
 
     if (type != 'service_account') {
       throw ArgumentError(
@@ -110,14 +111,14 @@ class ServiceAccountCredentials {
   ///
   /// The optional named argument [universeDomain] specifies the universe
   /// domain.
-  /// Defaults to 'googleapis.com' if not provided.
+  /// Defaults to [defaultUniverseDomain] if not provided.
   ServiceAccountCredentials(
     this.email,
     this.clientId,
     this.privateKey, {
     this.impersonatedUser,
     this.projectId,
-    this.universeDomain = 'googleapis.com',
+    this.universeDomain = defaultUniverseDomain,
   }) : privateRSAKey = keyFromString(privateKey);
 
   /// Signs the given [data] using RSA-SHA256 with this service account's

googleapis_auth/lib/src/utils.dart

@@ -16,6 +16,15 @@ import 'http_client_base.dart';
 /// will shorten expiry dates by 20 seconds.
 const maxExpectedTimeDiffInSeconds = 20;
 
+// Metadata server constants
+const metadataFlavorHeader = {'Metadata-Flavor': 'Google'};
+// - https://cloud.google.com/compute/docs/storing-retrieving-metadata#querying
+const defaultMetadataHost = 'metadata.google.internal';
+const gceMetadataHostEnvVar = 'GCE_METADATA_HOST';
+
+// Universe domain constants
+const defaultUniverseDomain = 'googleapis.com';
+
 AccessToken parseAccessToken(Map<String, dynamic> jsonMap) {
   final tokenType = jsonMap['token_type'];
   final accessToken = jsonMap['access_token'];