gcp-jwt

@sagi.io/gcp-jwt helps you generate a JWT from GCP's service accounts. It uses the Web Crypto API under the hood. The package works with accordance to Google's JWT Auth guide.

Installation

$ npm i @sagi.io/gcp-jwt

Example

Suppose you'd like to use Firestore's REST API. The first step is to generate a service account with the "Cloud Datastore User" role. Please download the service account and store its contents in the SERVICE_ACCOUNT_JSON_STR environment variable.

The aud is defined by GCP's service definitions and is simply the following concatenated string: 'https://' + SERVICE_NAME + '/' + API__NAME. More info here.

For Firestore the aud is https://firestore.googleapis.com/google.firestore.v1.Firestore.

Cloudflare Workers

Cloudflare Workers expose the crypto global for the Web Crypto API.

const jwt = require('@sagi.io/gcp-jwt')

const serviceAccountJsonStr = await ENVIRONMENT.get('SERVICE_ACCOUNT_JSON_STR', 'text')
const aud = `https://firestore.googleapis.com/google.firestore.v1.Firestore`

const token = await jwt(serviceAccountJsonStr, aud, crypto)

const headers = { Authorization: `Bearer ${token}` }

const projectId = 'example-project'
const collection = 'exampleCol'
const document = 'exampleDoc'

const docUrl =
  `https://firestore.googleapis.com/v1/projects/${projectId}/databases/(default)/documents`
  + `/${collection}/${document}`

const response = await fetch(docUrl, { headers })

const documentObj =  await response.json()

Node

We use the node-webcrypto-ossl package to imitate the Web Crypto API in Node.

const WebCrypto = require('node-webcrypto-ossl');
const crypto = new WebCrypto();

<... SAME AS CLOUDFLARE WORKERS ...>