fix: use iamcredentials API to sign blobs (#908)

samples/signBlob.js

@@ -0,0 +1,29 @@
+// Copyright 2020 Google LLC
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+const {auth} = require('google-auth-library');
+
+/**
+ * Use the iamcredentials API to sign a blob of data.
+ */
+async function main() {
+  const signedData = await auth.sign('some data');
+  console.log(signedData);
+}
+
+main().catch(e => {
+  console.error(e);
+  throw e;
+});

samples/test/jwt.test.js

@@ -84,4 +84,9 @@ describe('samples', () => {
     const output = execSync(`node idtokens-iap ${url} ${targetAudience}`);
     assert.match(output, /Hello, world/);
   });
+
+  it('should sign the blobs with IAM credentials API', () => {
+    const out = execSync('node signBlob');
+    assert.ok(out.length > 0);
+  });
 });

src/auth/googleauth.ts

@@ -809,16 +809,19 @@ export class GoogleAuth {
       throw new Error('Cannot sign data without `client_email`.');
     }
 
-    const id = `projects/${projectId}/serviceAccounts/${creds.client_email}`;
+    const url = `https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${creds.client_email}:signBlob`;
     const res = await this.request<SignBlobResponse>({
       method: 'POST',
-      url: `https://iam.googleapis.com/v1/${id}:signBlob`,
-      data: {bytesToSign: crypto.encodeBase64StringUtf8(data)},
+      url,
+      data: {
+        payload: crypto.encodeBase64StringUtf8(data),
+      },
     });
-    return res.data.signature;
+    return res.data.signedBlob;
   }
 }
 
 export interface SignBlobResponse {
-  signature: string;
+  keyId: string;
+  signedBlob: string;
 }

test/test.googleauth.ts

@@ -1390,21 +1390,21 @@ describe('googleauth', () => {
       const {auth, scopes} = mockGCE();
       mockEnvVar('GCLOUD_PROJECT', STUB_PROJECT);
       const email = 'google@auth.library';
-      const iamUri = `https://iam.googleapis.com`;
-      const iamPath = `/v1/projects/${STUB_PROJECT}/serviceAccounts/${email}:signBlob`;
-      const signature = 'erutangis';
+      const iamUri = `https://iamcredentials.googleapis.com`;
+      const iamPath = `/v1/projects/-/serviceAccounts/${email}:signBlob`;
+      const signedBlob = 'erutangis';
       const data = 'abc123';
       scopes.push(
         nock(iamUri)
           .post(iamPath)
-          .reply(200, {signature}),
+          .reply(200, {signedBlob}),
         nock(host)
           .get(svcAccountPath)
           .reply(200, {default: {email, private_key: privateKey}}, HEADERS)
       );
       const value = await auth.sign(data);
       scopes.forEach(x => x.done());
-      assert.strictEqual(value, signature);
+      assert.strictEqual(value, signedBlob);
     });
 
     it('should warn the user if using the getDefaultProjectId method', done => {