Skip to content

Instantly share code, notes, and snippets.

Created January 24, 2023 14:11
Show Gist options
  • Save KeKs0r/92be7af08d1d10eae8d1328c78de5f07 to your computer and use it in GitHub Desktop.
Save KeKs0r/92be7af08d1d10eae8d1328c78de5f07 to your computer and use it in GitHub Desktop.
Get JWT Token from service account for GCP (to use Google Api in cloudflare workers)
import { subtle } from 'crypto'
import { Base64 } from 'js-base64'
type ServiceAccount = {
private_key_id: string
private_key: string
client_email: string
type Scope = ''
type TokenOptions = {
aud: Scope
export async function getJWTFromServiceAccount(sa: ServiceAccount, { aud }: TokenOptions) {
const privateKey = await importPrivateKey(sa.private_key)
const header = Base64.encodeURI(
alg: 'RS256',
typ: 'JWT',
kid: sa.private_key_id,
const iat = Math.floor( / 1000)
const exp = iat + 3600
const payload = Base64.encodeURI(
iss: sa.client_email,
sub: sa.client_email,
const textEncoder = new TextEncoder()
const inputArrayBuffer = textEncoder.encode(`${header}.${payload}`)
const outputArrayBuffer = await subtle.sign(
{ name: 'RSASSA-PKCS1-v1_5' },
const signature = Base64.fromUint8Array(new Uint8Array(outputArrayBuffer), true)
const token = `${header}.${payload}.${signature}`
return token
function importPrivateKey(pem: string) {
const pemContents = getPemContent(pem)
const buffer = Base64.toUint8Array(pemContents)
const algorithm = {
name: 'RSASSA-PKCS1-v1_5',
hash: {
name: 'SHA-256',
return subtle.importKey('pkcs8', buffer, algorithm, false, ['sign'])
function getPemContent(rawPem: string) {
const pemHeader = '-----BEGIN PRIVATE KEY-----'
const pemFooter = '-----END PRIVATE KEY-----'
const pem = rawPem.replace(/\n/g, '')
if (!pem.startsWith(pemHeader) || !pem.endsWith(pemFooter)) {
throw new Error('Invalid service account private key')
const pemContents = pem.substring(pemHeader.length, pem.length - pemFooter.length)
return pemContents
Copy link

I haven't tried it yet but instead of

import { subtle } from 'crypto'

You should just be able to use it from globalThis

return globalThis.crypto.subtle.importKey('pkcs8', buffer, algorithm, false, ['sign'])

Copy link

vcarl commented Jul 2, 2024

Just sharing that I got this working by swapping out

-import { subtle } from 'crypto'
import { Base64 } from 'js-base64'
+const { subtle } = globalThis.crypto;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment