chore: Custom Credential Supplier Documentation (#2132)

* chore: Custom Credential Supplier Documentation

* Made some comment changes.

* Included changes for Client Credentials Grant for Okta workforce.

* Changed AwsWorkload to include caching.

* Lint and package.json changes

* Impersonation not needed.

* Included changes to get region from sdk for customCredentialSupplierAwsWorkload. Got rid of samples/readme changes.

* Removed customCredentialSupplier for workload.

* Implemented OktaWorkload with client credential grant flow. AWS now leverages AWS-SDK level caching.

* Reverted back to using gaxios to fetch okta access token

Author: vverman

.readme-partials.yaml

@@ -379,6 +379,8 @@ body: |-
 
   Note that the client does not cache the returned AWS security credentials, so caching logic should be implemented in the supplier to prevent multiple requests for the same resources.
 
+  For a sample on how to access Google Cloud resources from AWS with a custom credential supplier, see [samples/customCredentialSupplierAwsWorkload.js](https://github.com/googleapis/google-auth-library-nodejs/blob/main/samples/customCredentialSupplierAwsWorkload.js).
+
   ```ts
   import { AwsClient, AwsSecurityCredentials, AwsSecurityCredentialsSupplier, ExternalAccountSupplierContext } from 'google-auth-library';
   import { fromNodeProviderChain } from '@aws-sdk/credential-providers';
@@ -1059,6 +1061,8 @@ body: |-
 
   The values for audience, service account impersonation URL, and any other builder field can also be found by generating a [credential configuration file with the gcloud CLI](https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials#use_configuration_files_for_sign-in).
 
+  For a sample on how to access Google Cloud resources from an Okta identity provider with a custom credential supplier, see [samples/customCredentialSupplierOktaWorkforce.js](https://github.com/googleapis/google-auth-library-nodejs/blob/main/samples/customCredentialSupplierOktaWorkforce.js).
+
   ### Using External Identities
 
   External identities (AWS, Azure and OIDC-based providers) can be used with `Application Default Credentials`.

samples/.eslintrc.yml

@@ -1,5 +1,10 @@
 ---
+parserOptions:
+  ecmaVersion: 2023
 rules:
   no-console: off
   node/no-missing-require: off
   node/no-unpublished-require: off
+  no-unused-vars:
+    - error
+    - argsIgnorePattern: '^_'

samples/customCredentialSupplierAwsWorkload.js

@@ -0,0 +1,134 @@
+// Copyright 2025 Google LLC
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+('use strict');
+require('dotenv').config();
+
+const {AwsClient} = require('google-auth-library');
+const {fromNodeProviderChain} = require('@aws-sdk/credential-providers');
+const {STSClient} = require('@aws-sdk/client-sts');
+
+/**
+ * Custom AWS Security Credentials Supplier.
+ *
+ * This implementation resolves AWS credentials using the default Node provider
+ * chain from the AWS SDK. This allows fetching credentials from environment
+ * variables, shared credential files (~/.aws/credentials), or IAM roles
+ * for service accounts (IRSA) in EKS, etc.
+ */
+class CustomAwsSupplier {
+  constructor() {
+    // Will be cached upon first resolution.
+    this.region = null;
+
+    // Initialize the AWS credential provider.
+    // The AWS SDK handles memoization (caching) and proactive refreshing internally.
+    this.awsCredentialsProvider = fromNodeProviderChain();
+  }
+
+  /**
+   * Returns the AWS region. This is required for signing the AWS request.
+   * It resolves the region automatically by using the default AWS region
+   * provider chain, which searches for the region in the standard locations
+   * (environment variables, AWS config file, etc.).
+   */
+  async getAwsRegion(_context) {
+    if (this.region) {
+      return this.region;
+    }
+
+    const client = new STSClient({});
+    this.region = await client.config.region();
+
+    if (!this.region) {
+      throw new Error(
+        'CustomAwsSupplier: Unable to resolve AWS region. Please set the AWS_REGION environment variable or configure it in your ~/.aws/config file.',
+      );
+    }
+
+    return this.region;
+  }
+
+  /**
+   * Retrieves AWS security credentials using the AWS SDK's default provider chain.
+   */
+  async getAwsSecurityCredentials(_context) {
+    // Call the initialized provider. It will return cached creds or refresh if needed.
+    const awsCredentials = await this.awsCredentialsProvider();
+
+    // This check is often redundant as the SDK provider throws on failure,
+    // but serves as an extra safeguard.
+    if (!awsCredentials.accessKeyId || !awsCredentials.secretAccessKey) {
+      throw new Error(
+        'Unable to resolve AWS credentials from the node provider chain. ' +
+          'Ensure your AWS CLI is configured, or AWS environment variables (like AWS_ACCESS_KEY_ID) are set.',
+      );
+    }
+
+    // Map the AWS SDK format to the google-auth-library format.
+    const awsSecurityCredentials = {
+      accessKeyId: awsCredentials.accessKeyId,
+      secretAccessKey: awsCredentials.secretAccessKey,
+      token: awsCredentials.sessionToken,
+    };
+
+    return awsSecurityCredentials;
+  }
+}
+
+async function main() {
+  const gcpAudience = process.env.GCP_WORKLOAD_AUDIENCE;
+  const saImpersonationUrl = process.env.GCP_SERVICE_ACCOUNT_IMPERSONATION_URL;
+  const gcsBucketName = process.env.GCS_BUCKET_NAME;
+
+  if (!gcpAudience || !saImpersonationUrl || !gcsBucketName) {
+    throw new Error(
+      'Missing required environment variables. Please check your .env file or environment settings. Required: GCP_WORKLOAD_AUDIENCE, GCP_SERVICE_ACCOUNT_IMPERSONATION_URL, GCS_BUCKET_NAME',
+    );
+  }
+
+  // 1. Instantiate the custom supplier.
+  const customSupplier = new CustomAwsSupplier();
+
+  // 2. Configure the AwsClient options using the constants.
+  const clientOptions = {
+    audience: gcpAudience,
+    subject_token_type: 'urn:ietf:params:aws:token-type:aws4_request',
+    service_account_impersonation_url: saImpersonationUrl,
+    aws_security_credentials_supplier: customSupplier,
+  };
+
+  // 3. Create the auth client
+  const client = new AwsClient(clientOptions);
+
+  // 4. Construct the URL for the Cloud Storage JSON API to get bucket metadata.
+
+  const bucketUrl = `https://storage.googleapis.com/storage/v1/b/${gcsBucketName}`;
+  console.log(`[Test] Getting metadata for bucket: ${gcsBucketName}...`);
+  console.log(`[Test] Request URL: ${bucketUrl}`);
+
+  // 5. Use the client to make an authenticated request.
+  const res = await client.request({url: bucketUrl});
+
+  console.log('\n--- SUCCESS! ---');
+  console.log('Successfully authenticated and retrieved bucket data:');
+  console.log(JSON.stringify(res.data, null, 2));
+}
+
+// Execute the test.
+main().catch(error => {
+  console.error('\n--- FAILED ---');
+  const fullError = error.response?.data || error;
+  console.error(JSON.stringify(fullError, null, 2));
+  process.exitCode = 1;
+});

samples/customCredentialSupplierOktaWorkload.js

@@ -0,0 +1,181 @@
+// Copyright 2025 Google LLC
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+const {IdentityPoolClient} = require('google-auth-library');
+const {Gaxios} = require('gaxios');
+require('dotenv').config();
+
+// Workload Identity Pool Configuration
+const gcpWorkloadAudience = process.env.GCP_WORKLOAD_AUDIENCE;
+const serviceAccountImpersonationUrl =
+  process.env.GCP_SERVICE_ACCOUNT_IMPERSONATION_URL;
+const gcsBucketName = process.env.GCS_BUCKET_NAME;
+
+// Okta Configuration
+const oktaDomain = process.env.OKTA_DOMAIN; // e.g., 'https://dev-12345.okta.com'
+const oktaClientId = process.env.OKTA_CLIENT_ID; // The Client ID of your Okta M2M application
+const oktaClientSecret = process.env.OKTA_CLIENT_SECRET; // The Client Secret of your Okta M2M application
+
+// Constants for the authentication flow
+const TOKEN_URL = 'https://sts.googleapis.com/v1/token';
+const SUBJECT_TOKEN_TYPE = 'urn:ietf:params:oauth:token-type:jwt';
+
+/**
+ * A custom SubjectTokenSupplier that authenticates with Okta using the
+ * Client Credentials grant flow.
+ *
+ * This flow is designed for machine-to-machine (M2M) authentication and
+ * exchanges the application'''s client_id and client_secret for an access token.
+ */
+class OktaClientCredentialsSupplier {
+  constructor(domain, clientId, clientSecret) {
+    this.oktaTokenUrl = `${domain}/oauth2/default/v1/token`;
+    this.clientId = clientId;
+    this.clientSecret = clientSecret;
+    this.accessToken = null;
+    this.expiryTime = 0;
+    this.gaxios = new Gaxios();
+    console.log('OktaClientCredentialsSupplier initialized.');
+  }
+
+  /**
+   * Main method called by the auth library. It will fetch a new token if one
+   * is not already cached.
+   * @returns {Promise<string>} A promise that resolves with the Okta Access token.
+   */
+  async getSubjectToken() {
+    // Check if the current token is still valid (with a 60-second buffer).
+    const isTokenValid =
+      this.accessToken && Date.now() < this.expiryTime - 60 * 1000;
+
+    if (isTokenValid) {
+      console.log('[Supplier] Returning cached Okta Access token.');
+      return this.accessToken;
+    }
+
+    console.log(
+      '[Supplier] Token is missing or expired. Fetching new Okta Access token via Client Credentials grant...',
+    );
+    const {accessToken, expiresIn} = await this.fetchOktaAccessToken();
+    this.accessToken = accessToken;
+    // Calculate the absolute expiry time in milliseconds.
+    this.expiryTime = Date.now() + expiresIn * 1000;
+    return this.accessToken;
+  }
+
+  /**
+   * Performs the Client Credentials grant flow by making a POST request to Okta'''s token endpoint.
+   * @returns {Promise<{accessToken: string, expiresIn: number}>} A promise that resolves with the Access Token and expiry from Okta.
+   */
+  async fetchOktaAccessToken() {
+    const params = new URLSearchParams();
+    params.append('grant_type', 'client_credentials');
+
+    // For Client Credentials, scopes are optional and define the permissions
+    // the token will have. If you have custom scopes, add them here.
+    params.append('scope', 'gcp.test.read');
+
+    // The client_id and client_secret are sent in a Basic Auth header.
+    const authHeader =
+      'Basic ' +
+      Buffer.from(`${this.clientId}:${this.clientSecret}`).toString('base64');
+
+    try {
+      const response = await this.gaxios.request({
+        url: this.oktaTokenUrl,
+        method: 'POST',
+        headers: {
+          Authorization: authHeader,
+          'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        data: params.toString(),
+      });
+
+      const {access_token, expires_in} = response.data;
+
+      if (access_token && expires_in) {
+        console.log(
+          `[Supplier] Successfully received Access Token from Okta. Expires in ${expires_in} seconds.`,
+        );
+        return {accessToken: access_token, expiresIn: expires_in};
+      } else {
+        throw new Error(
+          'Access token or expires_in not found in Okta response.',
+        );
+      }
+    } catch (error) {
+      console.error(
+        '[Supplier] Error fetching token from Okta:',
+        error.response?.data || error.message,
+      );
+      throw new Error(
+        'Failed to authenticate with Okta using Client Credentials grant.',
+      );
+    }
+  }
+}
+
+/**
+ * Main function to demonstrate the custom supplier.
+ */
+async function main() {
+  if (
+    !gcpWorkloadAudience ||
+    !gcsBucketName ||
+    !oktaDomain ||
+    !oktaClientId ||
+    !oktaClientSecret
+  ) {
+    throw new Error(
+      'Missing required environment variables. Please check your .env file.',
+    );
+  }
+
+  // 1. Instantiate our custom supplier with Okta credentials.
+  const oktaSupplier = new OktaClientCredentialsSupplier(
+    oktaDomain,
+    oktaClientId,
+    oktaClientSecret,
+  );
+
+  // 2. Instantiate an IdentityPoolClient directly with the required configuration.
+  // This client is specialized for workload identity federation flows.
+  const client = new IdentityPoolClient({
+    audience: gcpWorkloadAudience,
+    subject_token_type: SUBJECT_TOKEN_TYPE,
+    token_url: TOKEN_URL,
+    subject_token_supplier: oktaSupplier,
+    service_account_impersonation_url: serviceAccountImpersonationUrl,
+  });
+
+  // 3. Construct the URL for the Cloud Storage JSON API to get bucket metadata.
+  const bucketUrl = `https://storage.googleapis.com/storage/v1/b/${gcsBucketName}`;
+  console.log(`[Test] Getting metadata for bucket: ${gcsBucketName}...`);
+  console.log(`[Test] Request URL: ${bucketUrl}`);
+
+  // 4. Use the client to make an authenticated request.
+  const res = await client.request({url: bucketUrl});
+
+  console.log('--- SUCCESS! ---');
+  console.log('Successfully authenticated and retrieved bucket data:');
+  console.log(JSON.stringify(res.data, null, 2));
+}
+
+main().catch(error => {
+  console.error('--- FAILED ---');
+  const fullError = error.response?.data || error;
+  console.error(JSON.stringify(fullError, null, 2));
+  process.exitCode = 1;
+});

samples/package.json

@@ -15,11 +15,15 @@
   "dependencies": {
     "@google-cloud/language": "^7.0.0",
     "@google-cloud/storage": "^7.0.0",
+    "@aws-sdk/credential-providers": "^3.58.0",
     "@googleapis/iam": "^32.0.0",
     "google-auth-library": "^10.4.0",
+    "dotenv": "^16.3.1",
+    "gaxios": "^7.0.0",
     "node-fetch": "^2.3.0",
     "open": "^9.0.0",
-    "server-destroy": "^1.0.1"
+    "server-destroy": "^1.0.1",
+    "@aws-sdk/client-sts": "^3.58.0"
   },
   "devDependencies": {
     "chai": "^4.2.0",