fix: use iam client library to setup test

package.json

@@ -23,6 +23,8 @@
     "fast-text-encoding": "^1.0.0",
     "gaxios": "^4.0.0",
     "gcp-metadata": "^4.2.0",
+    "google-auth-library": "^7.0.4",
+    "googleapis": "^73.0.0",
     "gtoken": "^5.0.4",
     "jws": "^4.0.0",
     "lru-cache": "^6.0.0"

samples/scripts/externalclient-setup.js

@@ -84,8 +84,10 @@
 const fs = require('fs');
 const {promisify} = require('util');
 const {GoogleAuth} = require('google-auth-library');
+const {google} = require('googleapis');
 
 const readFile = promisify(fs.readFile);
+const iam = google.iam('v1');
 
 /**
  * Generates a random string of the specified length, optionally using the
@@ -141,23 +143,15 @@ async function main(config) {
   const auth = new GoogleAuth({
     scopes: 'https://www.googleapis.com/auth/cloud-platform',
   });
-
-  // TODO: switch to using IAM client SDK once v1 API has all the v1beta
-  // changes.
-  // https://cloud.google.com/iam/docs/reference/rest/v1beta/projects.locations.workloadIdentityPools
-  // https://github.com/googleapis/google-api-nodejs-client/tree/master/src/apis/iam
+  const authClient = await auth.getClient();
+  google.options({auth: authClient});
 
   // Create the workload identity pool.
-  response = await auth.request({
-    url:
-      `https://iam.googleapis.com/v1beta/projects/${projectId}/` +
-      `locations/global/workloadIdentityPools?workloadIdentityPoolId=${poolId}`,
-    method: 'POST',
-    data: {
-      displayName: 'Test workload identity pool',
-      description: 'Test workload identity pool for Node.js',
-    },
+  response = await iam.projects.locations.workloadIdentityPools.create({
+    parent: `projects/${projectId}/locations/global`,
+    workloadIdentityPoolId: poolId,
   });
+
   // Populate the audience field. This will be used by the tests, specifically
   // the credential configuration file.
   const poolResourcePath = response.data.name.split('/operations')[0];
@@ -166,12 +160,10 @@ async function main(config) {
 
   // Allow service account impersonation.
   // Get the existing IAM policity bindings on the current service account.
-  response = await auth.request({
-    url:
-      `https://iam.googleapis.com/v1/projects/${projectId}/` +
-      `serviceAccounts/${clientEmail}:getIamPolicy`,
-    method: 'POST',
+  response = await iam.projects.serviceAccounts.getIamPolicy({
+    resource: `projects/${projectId}/serviceAccounts/${clientEmail}`,
   });
+
   const bindings = response.data.bindings || [];
   // If not found, add roles/iam.workloadIdentityUser role binding to the
   // workload identity pool member.
@@ -203,54 +195,49 @@ async function main(config) {
       ],
     });
   }
-  await auth.request({
-    url:
-      `https://iam.googleapis.com/v1/projects/${projectId}/` +
-      `serviceAccounts/${clientEmail}:setIamPolicy`,
-    method: 'POST',
-    data: {
+  await iam.projects.serviceAccounts.setIamPolicy({
+    resource: `projects/${projectId}/serviceAccounts/${clientEmail}`,
+    requestBody: {
       policy: {
         bindings,
-      },
+      } 
     },
   });
 
   // Create an OIDC provider. This will use the accounts.google.com issuer URL.
   // This will use the STS audience as the OIDC token audience.
-  await auth.request({
-    url:
-      `https://iam.googleapis.com/v1beta/projects/${projectId}/` +
-      `locations/global/workloadIdentityPools/${poolId}/providers?` +
-      `workloadIdentityPoolProviderId=${oidcProviderId}`,
-    method: 'POST',
-    data: {
-      displayName: 'Test OIDC provider',
-      description: 'Test OIDC provider for Node.js',
-      attributeMapping: {
-        'google.subject': 'assertion.sub',
-      },
-      oidc: {
-        issuerUri: 'https://accounts.google.com',
-        allowedAudiences: [oidcAudience],
-      },
-    },
-  });
+  await iam.projects.locations.workloadIdentityPools.providers.create(
+    {
+      parent: `projects/${projectId}/locations/global/workloadIdentityPools/${poolId}`,
+      workloadIdentityPoolProviderId: oidcProviderId,
+      requestBody: {
+        displayName: 'Test OIDC provider',
+        description: 'Test OIDC provider for Node.js',
+        attributeMapping: {
+          'google.subject': 'assertion.sub',
+        },
+        oidc: {
+          issuerUri: 'https://accounts.google.com',
+          allowedAudiences: [oidcAudience],
+        },
+      }
+    }
+  );
 
   // Create an AWS provider.
-  await auth.request({
-    url:
-      `https://iam.googleapis.com/v1beta/projects/${projectId}/` +
-      `locations/global/workloadIdentityPools/${poolId}/providers?` +
-      `workloadIdentityPoolProviderId=${awsProviderId}`,
-    method: 'POST',
-    data: {
-      displayName: 'Test AWS provider',
-      description: 'Test AWS provider for Node.js',
-      aws: {
-        accountId: config.awsAccountId,
-      },
-    },
-  });
+  await iam.projects.locations.workloadIdentityPools.providers.create(
+    {
+      parent: `projects/${projectId}/locations/global/workloadIdentityPools/${poolId}`,
+      workloadIdentityPoolProviderId: awsProviderId,
+      requestBody: {
+        displayName: 'Test AWS provider',
+        description: 'Test AWS provider for Node.js',
+        aws: {
+          accountId: config.awsAccountId,
+        },
+      }
+    }
+  );
 
   return {
     oidcAudience,
@@ -292,7 +279,7 @@ main(config)
     console.log(`AUDIENCE_OIDC='${audiences.oidcAudience}'`);
     console.log(`AUDIENCE_AWS='${audiences.awsAudience}'`);
     console.log(
-      `AWS_ROLE_ARN='arn:aws::iam::${config.awsAccountId}:role/${config.awsRoleName}'`
+      `AWS_ROLE_ARN='arn:aws:iam::${config.awsAccountId}:role/${config.awsRoleName}'`
     );
   })
   .catch(console.error);