Using functions to get an IAM token for a service account

If the function version was created with a service account, you can get an IAM token for it from:

• The handler context. The IAM token is in the access_token field of the context parameter.
• The metadata service in Google Compute Engine format using the API.

To get an IAM token:

1. Create a function.

2. Select the programming language and create a function version:

   Node.js

   Python

   1. Save the following code to a file named index.js to get the IAM token:

      • From the handler context.

        exports.main = async function (event, context) {
            return {
                'statusCode': 200,
                'headers': {
                    'Content-Type': 'text/plain'
                },
                'isBase64Encoded': false,
                'body': context.token
            }
        };
        

      • Using the API.

        const fetch = require("node-fetch");
        let url = 'http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token';
        let headers = {'Metadata-Flavor': 'Google'};
        
        exports.main = async function (event) {
            const resp = await fetch(url, {
                headers: headers,
            });
            return {
                code: resp.status,
                body: await resp.text()
            };
        };
        

   2. Add index.js to the index-js.zip archive.
   3. Create a function version. Indicate the following:
      • Runtime environment: nodejs12.
      • The service account to get the IAM token for.
      • Entry point: index.main.

   1. Save the following code to a file named index.py to get the IAM token:

      • From the handler context.

        def main(event, context):
        
            return {
                'statusCode': 200,
                'headers': {
                    'Content-Type': 'text/plain'
                },
                'isBase64Encoded': False,
                'body': context.token
            }
        

      • Using the API.

        import requests
        
        url = 'http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token'
        headers = {'Metadata-Flavor': 'Google'}
        
        
        def main(event, context):
        
            resp = requests.get(url, headers=headers)
        
            return {
                'statusCode': 200,
                'headers': {
                    'Content-Type': 'text/plain'
                },
                'isBase64Encoded': False,
                'body': resp.content.decode('UTF-8')
            }
        

   2. Add index.py to the index-py.zip archive.
   3. Create a function version. Indicate the following:
      • Runtime environment: python37.
      • The service account to get the IAM token for.
      • Entry point: index.main.

3. Run the function.

   The function response looks like this:

   {
       "access_token": "CggVAgAAABoBMRKABHGgpZ......",
       "expires_in": 42299,
       "token_type": "Bearer"
   }