Getting a service account IAM token using a function

If a function version was created with a service account, you can get an IAM token for that service account from:

• Handler context. You can find the IAM token in the access_token field of the context parameter.
• Metadata service in Google Compute Engine format using the API.

To get an IAM token:

1. Create a function. When creating the first function version, select Node.js or Python as the runtime.

2. Disable Add files with code examples.

3. Click Continue.

4. Under Code source, select ZIP archive.

5. Create a ZIP archive containing the function code:

   Node.js

   Python

   1. Save the following code to a file named index.js to get the IAM token:

      • From the handler context:

        exports.main = async function (event, context) {
            return {
                'statusCode': 200,
                'headers': {
                    'Content-Type': 'text/plain'
                },
                'isBase64Encoded': false,
                'body': context.token
            }
        };
        

      • Using the API:

        const fetch = require("node-fetch");
        let url = 'http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token';
        let headers = {'Metadata-Flavor': 'Google'};
        
        exports.main = async function (event) {
            const resp = await fetch(url, {
                headers: headers,
            });
            return {
                code: resp.status,
                body: await resp.text()
            };
        };
        

   2. If you want to get your IAM token using the API, save the following code to a file named package.json:

      {
          "name": "my-app",
          "dependencies": {
              "node-fetch": "2.x"
          }
      }
      

   3. Add the index.js file and, if using the API to get the IAM token, the package.json file into the index-js.zip archive.

   4. Click Attach file and select your index-js.zip archive.

   1. Save the following code to a file named index.py to get the IAM token:

      • From the handler context:

        def main(event, context):
        
            return {
                'statusCode': 200,
                'headers': {
                    'Content-Type': 'text/plain'
                },
                'isBase64Encoded': False,
                'body': context.token
            }
        

      • Using the API:

        import requests
        url = 'http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token'
        headers = {'Metadata-Flavor': 'Google'}
        def main(event, context):
            resp = requests.get(url, headers=headers)
            return {
                'statusCode': 200,
                'headers': {
                    'Content-Type': 'text/plain'
                },
                'isBase64Encoded': False,
                'body': resp.content.decode('UTF-8')
            }
        

6. Create a function version.

   1. In the Entry point field, specify index.main.

   2. Under Parameters, select the service account to get an IAM token for or create a new one.

7. Run the function.

   If the function runs successfully, you will get the following response:

   {
       "statusCode": 200,
       "headers": {"Content-Type": "text/plain"},
       "isBase64Encoded": false,
       "body":
       {
           "access_token": "t1.9euelZrPm5O********",
           "expires_in": 43200,
           "token_type": "Bearer"
       }
   }