38 lines
1.5 KiB
TypeScript
38 lines
1.5 KiB
TypeScript
/**
|
|
* Shared GCP access-token helper.
|
|
*
|
|
* Prefers an explicit service-account key in `GOOGLE_SERVICE_ACCOUNT_KEY_B64`
|
|
* (base64-encoded JSON) — this is how the Vibn app is deployed on Coolify.
|
|
* Falls back to ADC for local dev and GCE.
|
|
*
|
|
* The same token grants every role on the underlying SA
|
|
* (currently: vibn-workspace-provisioner with roles/run.admin +
|
|
* roles/artifactregistry.reader + roles/dns.admin). Callers that need a
|
|
* narrower scope should ask for one explicitly.
|
|
*/
|
|
|
|
import { GoogleAuth, JWT } from 'google-auth-library';
|
|
|
|
const CLOUD_PLATFORM = 'https://www.googleapis.com/auth/cloud-platform';
|
|
|
|
export async function getGcpAccessToken(scopes: string[] = [CLOUD_PLATFORM]): Promise<string> {
|
|
const keyB64 = process.env.GOOGLE_SERVICE_ACCOUNT_KEY_B64;
|
|
if (keyB64) {
|
|
const key = JSON.parse(Buffer.from(keyB64, 'base64').toString('utf-8')) as {
|
|
client_email: string;
|
|
private_key: string;
|
|
};
|
|
const jwt = new JWT({ email: key.client_email, key: key.private_key, scopes });
|
|
const token = await jwt.getAccessToken();
|
|
if (!token.token) throw new Error('GCP auth: JWT access token was empty');
|
|
return token.token as string;
|
|
}
|
|
const auth = new GoogleAuth({ scopes });
|
|
const client = await auth.getClient();
|
|
const token = await client.getAccessToken();
|
|
if (!token.token) throw new Error('GCP auth: ADC access token was empty');
|
|
return token.token;
|
|
}
|
|
|
|
export const GCP_PROJECT_ID = process.env.GCP_PROJECT_ID ?? 'master-ai-484822';
|