Use an OAuth 2.0 access token for Domain-Wide Delegation

google-github-actions · Feb 2, 2024 · d84ef94 · d84ef94
1 parent 5a50e58
commit d84ef94
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/dist/main/index.js b/dist/main/index.js
diff --git a/src/client/workload_identity_federation.ts b/src/client/workload_identity_federation.ts
@@ -141,7 +141,7 @@ export class WorkloadIdentityFederationClient extends Client implements AuthClie
     const pth = `${this._endpoints.iamcredentials}/projects/-/serviceAccounts/${this.#serviceAccount}:signJwt`;
 
     const headers = {
-      Authorization: `Bearer ${this.getToken()}`,
+      Authorization: `Bearer ${await this.getToken()}`,
     };
 
     const body = {

diff --git a/src/main.ts b/src/main.ts
@@ -282,10 +282,11 @@ async function main(logger: Logger) {
         );
       }
 
+      let accessToken: string;
+
       // If a subject was provided, use the traditional OAuth 2.0 flow to
       // perform Domain-Wide Delegation. Otherwise, use the modern IAM
       // Credentials endpoints.
-      let accessToken;
       if (accessTokenSubject) {
         if (accessTokenLifetime > 3600) {
           logger.info(
@@ -302,7 +303,6 @@ async function main(logger: Logger) {
           accessTokenLifetime,
         );
         const signedJWT = await client.signJWT(unsignedJWT);
-
         accessToken = await iamCredentialsClient.generateDomainWideDelegationAccessToken(signedJWT);
       } else {
         accessToken = await iamCredentialsClient.generateAccessToken({