ibm-cloud-sdk-core 5.0.2 → 5.1.0

package/.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "package-lock.json|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-08-29T14:54:57Z",
+  "generated_at": "2024-10-10T20:59:14Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -70,7 +70,39 @@
         "hashed_secret": "91dfd9ddb4198affc5c194cd8ce6d338fde470e2",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 74,
+        "line_number": 75,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "4f51cde3ac0a5504afa4bc06859b098366592c19",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 236,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "e87559ed7decb62d0733ae251ae58d42a55291d8",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 238,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "12f4a68ed3d0863e56497c9cdb1e2e4e91d5cb68",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 302,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "c837b75d7cd93ef9c2243ca28d6e5156259fd253",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 306,
         "type": "Secret Keyword",
         "verified_result": null
       },
@@ -78,7 +110,7 @@
         "hashed_secret": "98635b2eaa2379f28cd6d72a38299f286b81b459",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 433,
+        "line_number": 558,
         "type": "Secret Keyword",
         "verified_result": null
       },
@@ -86,7 +118,7 @@
         "hashed_secret": "47fcf185ee7e15fe05cae31fbe9e4ebe4a06a40d",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 543,
+        "line_number": 668,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -96,7 +128,7 @@
         "hashed_secret": "bc2f74c22f98f7b6ffbc2f67453dbfa99bce9a32",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 207,
+        "line_number": 214,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -106,7 +138,7 @@
         "hashed_secret": "32e8612d8ca77c7ea8374aa7918db8e5df9252ed",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 62,
+        "line_number": 63,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -116,7 +148,7 @@
         "hashed_secret": "fdee05598fdd57ff8e9ae29e92c25a04f2c52fa6",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 39,
+        "line_number": 41,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -159,20 +191,22 @@
         "verified_result": null
       }
     ],
-    "auth/authenticators/iam-request-based-authenticator.ts": [
+    "auth/authenticators/iam-request-based-authenticator-immutable.ts": [
       {
         "hashed_secret": "f84f793e0af9ade37c8b927bc5091e98f35bf821",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 78,
+        "line_number": 81,
         "type": "Secret Keyword",
         "verified_result": null
-      },
+      }
+    ],
+    "auth/authenticators/iam-request-based-authenticator.ts": [
       {
         "hashed_secret": "45c43fe97e3a06ab078b0eeff6fbe622cc417a25",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 89,
+        "line_number": 34,
         "type": "Secret Keyword",
         "verified_result": null
       },
@@ -180,7 +214,7 @@
         "hashed_secret": "99833a8b234b57b886a9aef1dba187fdd7ceece8",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 91,
+        "line_number": 36,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -239,6 +273,32 @@
         "verified_result": null
       }
     ],
+    "auth/token-managers/iam-assume-token-manager.ts": [
+      {
+        "hashed_secret": "2ac283c95478b7355a84b60cd52c1722de2cbc3a",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 111,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "faed0c503983c5ab06e19630096d39ebfafef86a",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 115,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "45c43fe97e3a06ab078b0eeff6fbe622cc417a25",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 168,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
     "auth/token-managers/iam-request-based-token-manager.ts": [
       {
         "hashed_secret": "f84f793e0af9ade37c8b927bc5091e98f35bf821",
@@ -314,7 +374,7 @@
         "hashed_secret": "6947818ac409551f11fbaa78f0ea6391960aa5b8",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 50,
+        "line_number": 51,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -334,7 +394,7 @@
         "hashed_secret": "45c43fe97e3a06ab078b0eeff6fbe622cc417a25",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 266,
+        "line_number": 286,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -455,6 +515,50 @@
         "verified_result": null
       }
     ],
+    "test/unit/iam-assume-authenticator.test.js": [
+      {
+        "hashed_secret": "9cea46b39bd44a1ef9f3e71bfe9e45c24d3300f6",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 33,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "5c5a15a8b0b3e154d77746945e563ba40100681b",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 37,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "test/unit/iam-assume-token-manager.test.js": [
+      {
+        "hashed_secret": "a0da30f332dd7b7a26d1c0b4da5437fcd90bf49b",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 33,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "9cea46b39bd44a1ef9f3e71bfe9e45c24d3300f6",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 150,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "43ed4c2d8375dfc89e3dc8c917f404b9481d355b",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 404,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
     "test/unit/iam-authenticator.test.js": [
       {
         "hashed_secret": "257368587362aab7f1180b4a5fe550ec26053e05",
@@ -582,7 +686,7 @@
       }
     ]
   },
-  "version": "0.13.1+ibm.62.dss",
+  "version": "0.13.1+ibm.56.dss",
   "word_list": {
     "file": null,
     "hash": null

package/Authentication.md

@@ -2,7 +2,8 @@
 The node-sdk-core project supports the following types of authentication:
 - Basic Authentication
 - Bearer Token Authentication
-- Identity and Access Management (IAM) Authentication
+- Identity and Access Management (IAM) Authentication (grant type: apikey)
+- Identity and Access Management (IAM) Authentication (grant type: assume)
 - Container Authentication
 - VPC Instance Authentication
 - Cloud Pak for Data Authentication
@@ -16,7 +17,7 @@ which authentication types are supported for that service.
 
 The node-sdk-core allows an authenticator to be specified in one of two ways:
 1. programmatically - the SDK user invokes the appropriate function(s) to create an instance of the
-desired authenticator and then passes the authenticator instance when constructing an instance of the service.
+desired authenticator and then passes the authenticator instance when constructing an instance of the service client.
 2. configuration - the SDK user provides external configuration information (in the form of environment variables
 or a credentials file) to indicate the type of authenticator, along with the configuration of the necessary properties
 for that authenticator. The SDK user then invokes the configuration-based authenticator factory to construct an instance
@@ -28,7 +29,7 @@ which will include the following:
 - The properties associated with the authenticator
 - An example of how to construct the authenticator programmatically
 - An example of how to configure the authenticator through the use of external
-configuration information.  The configuration examples below will use
+configuration information. The configuration examples below will use
 environment variables, although the same properties could be specified in a
 credentials file instead.
 
@@ -143,16 +144,16 @@ const service = ExampleServiceV1.newInstance(options);
 
 Note that the use of external configuration is not as useful with the `BearerTokenAuthenticator` as it
 is for other authenticator types because bearer tokens typically need to be obtained and refreshed
-programmatically since they normally have a relatively short lifespan before they expire.  This
+programmatically since they normally have a relatively short lifespan before they expire. This
 authenticator type is intended for situations in which the application will be managing the bearer
 token itself in terms of initial acquisition and refreshing as needed.
 
 
-## Identity and Access Management (IAM) Authentication
-The `IamAuthenticator` will accept a user-supplied api key and will perform
+## Identity and Access Management (IAM) Authentication (grant type: apikey)
+The `IamAuthenticator` will accept a user-supplied apikey and will perform
 the necessary interactions with the IAM token service to obtain a suitable
-bearer token for the specified api key.  The authenticator will also obtain
-a new bearer token when the current token expires.  The bearer token is
+bearer token for the specified apikey. The authenticator will also obtain
+a new bearer token when the current token expires. The bearer token is
 then added to each outbound request in the `Authorization` header in the
 form:
 ```
@@ -161,7 +162,7 @@ form:
 
 ### Properties
 
-- apikey: (required) the IAM api key
+- apikey: (required) the IAM apikey to be used to obtain an IAM access token.
 
 - url: (optional) The base endpoint URL of the IAM token service.
 The default value of this property is the "prod" IAM token service endpoint
@@ -178,13 +179,13 @@ endpoint as well (`https://iam.test.cloud.ibm.com`).
 
 - clientId/clientSecret: (optional) The `clientId` and `clientSecret` fields are used to form a
 "basic auth" Authorization header for interactions with the IAM token server. If neither field
-is specified, then no Authorization header will be sent with token server requests.  These fields
+is specified, then no Authorization header will be sent with token server requests. These fields
 are optional, but must be specified together.
 
 - scope: (optional) the scope to be associated with the IAM access token.
 If not specified, then no scope wil be associated with the access token.
 
-- disableSslVerification: (optional) A flag that indicates whether verificaton of the server's SSL
+- disableSslVerification: (optional) A flag that indicates whether verification of the server's SSL
 certificate should be disabled or not. The default value is `false`.
 
 - headers: (optional) A set of key/value pairs that will be sent as HTTP headers in requests
@@ -228,6 +229,130 @@ const service = ExampleServiceV1.newInstance(options);
 ```
 
 
+## Identity and Access Management (IAM) Authentication (grant type: assume)
+The `IamAssumeAuthenticator` performs a two-step token fetch sequence to obtain
+a bearer token that allows the application to assume the identity of a trusted profile:
+1. First, the authenticator obtains an initial bearer token using grant type
+`urn:ibm:params:oauth:grant-type:apikey`.
+This initial token will reflect the identity associated with the input apikey.
+2. Second, the authenticator uses the grant type `urn:ibm:params:oauth:grant-type:assume` to obtain a bearer token
+that reflects the identity of the trusted profile, passing in the initial bearer token
+from the first step, along with the trusted profile-related inputs.
+
+The authenticator will also obtain a new bearer token when the current token expires.
+The bearer token is then added to each outbound request in the `Authorization` header in the
+form:
+```
+   Authorization: Bearer <bearer-token>
+```
+
+### Properties
+
+- apikey: (required) the IAM apikey to be used to obtain the initial IAM access token.
+
+- iamProfileCrn: (optional) the Cloud Resource Name (CRN) associated with the trusted profile
+for which an access token should be fetched.
+Exactly one of iamProfileCrn, iamProfileId or iamProfileName must be specified.
+
+- iamProfileId: (optional) the ID associated with the trusted profile
+for which an access token should be fetched.
+Exactly one of iamProfileCrn, iamProfileId or iamProfileName must be specified.
+
+- iamProfileName: (optional) the name associated with the trusted profile
+for which an access token should be fetched. When specifying this property, you must also
+specify the iamAccountId property as well.
+Exactly one of iamProfileCrn, iamProfileId or iamProfileName must be specified.
+
+- iamAccountId: (optional) the ID associated with the IAM account that contains the trusted profile
+referenced by the iamProfileName property. The imaAccountId property must be specified if and only if
+the iamProfileName property is specified.
+
+- url: (optional) The base endpoint URL of the IAM token service.
+The default value of this property is the "prod" IAM token service endpoint
+(`https://iam.cloud.ibm.com`).
+Make sure that you use an IAM token service endpoint that is appropriate for the
+location of the service being used by your application.
+For example, if you are using an instance of a service in the "production" environment
+(e.g. `https://resource-controller.cloud.ibm.com`),
+then the default "prod" IAM token service endpoint should suffice.
+However, if your application is using an instance of a service in the "staging" environment
+(e.g. `https://resource-controller.test.cloud.ibm.com`),
+then you would also need to configure the authenticator to use the IAM token service "staging"
+endpoint as well (`https://iam.test.cloud.ibm.com`).
+
+- clientId/clientSecret: (optional) The `clientId` and `clientSecret` fields are used to form a 
+"basic auth" Authorization header for interactions with the IAM token server when fetching the
+initial IAM access token. These fields are optional, but must be specified together.
+
+- scope: (optional) the scope to be used when obtaining the initial IAM access token.
+If not specified, then no scope will be associated with the access token.
+
+- disableSslVerification: (optional) A flag that indicates whether verification of the server's SSL 
+certificate should be disabled or not. The default value is `false`.
+
+- headers: (optional) A set of key/value pairs that will be sent as HTTP headers in requests
+made to the IAM token service.
+
+### Usage Notes
+- The IamAssumeAuthenticator is used to obtain an access token (a bearer token) from the IAM token service
+that allows an application to "assume" the identity of a trusted profile.
+
+- The authenticator first uses the apikey, url, clientId/clientSecret, scope, disableSslVerification, and headers
+properties to obtain an initial access token by invoking the IAM `getToken`
+(grant_type=`urn:ibm:params:oauth:grant-type:apikey`) operation.
+
+- The authenticator then uses the initial access token along with the url, iamProfileCrn, iamProfileId,
+iamProfileName, iamAccountId, disableSSLVerification, and headers properties to obtain an access token by invoking
+the IAM `getToken` (grant_type=`urn:ibm:params:oauth:grant-type:assume`) operation.
+The access token resulting from this second step will reflect the identity of the specified trusted profile.
+
+- When providing the trusted profile information, you must specify exactly one of: iamProfileCrn, iamProfileId
+or iamProfileName. If you specify iamProfileCrn or iamProfileId, then the trusted profile must exist in the same account that is
+associated with the input apikey. If you specify iamProfileName, then you must also specify the iamAccountId property
+to indicate the IAM account in which the named trusted profile can be found.
+
+### Programming example
+```js
+const { IamAssumeAuthenticator } = require('ibm-cloud-sdk-core');
+const ExampleServiceV1 = require('<sdk-package-name>/example-service/v1');
+
+// Create the authenticator.
+const authenticator = new IamAssumeAuthenticator({
+  apikey: 'myapikey',
+  iamProfileId: 'myprofile-1',
+});
+
+const options = {
+  authenticator,
+};
+
+// Create the service instance.
+const service = new ExampleServiceV1(options);
+
+// 'service' can now be used to invoke operations.
+```
+
+### Configuration example
+External configuration:
+```
+export EXAMPLE_SERVICE_AUTH_TYPE=iamAssume
+export EXAMPLE_SERVICE_APIKEY=myapikey
+export EXAMPLE_SERVICE_IAM_PROFILE_ID=myprofile-1
+```
+Application code:
+```js
+const ExampleServiceV1 = require('<sdk-package-name>/example-service/v1');
+
+const options = {
+  serviceName: 'example_service',
+};
+
+const service = ExampleServiceV1.newInstance(options);
+
+// 'service' can now be used to invoke operations.
+```
+
+
 ## Container Authentication
 The `ContainerAuthenticator` is intended to be used by application code
 running inside a compute resource managed by the IBM Kubernetes Service (IKS)
@@ -236,7 +361,7 @@ within the compute resource's local file system.
 The CR token is similar to an IAM apikey except that it is managed automatically by
 the compute resource provider (IKS).
 This allows the application developer to:
-- avoid storing credentials in application code, configuraton files or a password vault
+- avoid storing credentials in application code, configuration files or a password vault
 - avoid managing or rotating credentials
 
 The `ContainerAuthenticator` will retrieve the CR token from
@@ -280,13 +405,13 @@ endpoint as well (`https://iam.test.cloud.ibm.com`).
 
 - clientId/clientSecret: (optional) The `clientId` and `clientSecret` fields are used to form a
 "basic auth" Authorization header for interactions with the IAM token service. If neither field
-is specified, then no Authorization header will be sent with token server requests.  These fields
+is specified, then no Authorization header will be sent with token server requests. These fields
 are optional, but must be specified together.
 
 - scope: (optional) the scope to be associated with the IAM access token.
 If not specified, then no scope will be associated with the access token.
 
-- disableSslVerification: (optional) A flag that indicates whether verificaton of the server's SSL
+- disableSslVerification: (optional) A flag that indicates whether verification of the server's SSL
 certificate should be disabled or not. The default value is `false`.
 
 - headers: (optional) A set of key/value pairs that will be sent as HTTP headers in requests
@@ -342,7 +467,7 @@ The compute resource identity feature allows you to assign a trusted IAM profile
 This, in turn, allows applications running within the compute resource to take on this identity when interacting with
 IAM-secured IBM Cloud services.
 This results in a simplified security model that allows the application developer to:
-- avoid storing credentials in application code, configuraton files or a password vault
+- avoid storing credentials in application code, configuration files or a password vault
 - avoid managing or rotating credentials
 
 The `VpcInstanceAuthenticator` will invoke the appropriate operations on the compute resource's locally-available
@@ -361,11 +486,11 @@ The IAM access token is added to each outbound request in the `Authorization` he
 - iamProfileId: (optional) the id of the linked trusted IAM profile to be used when obtaining the IAM access token.
 
 - url: (optional) The VPC Instance Metadata Service's base URL.
-The default value of this property is `http://169.254.169.254`.  However, if the VPC Instance Metadata Service is configured
+The default value of this property is `http://169.254.169.254`. However, if the VPC Instance Metadata Service is configured
 with the HTTP Secure Protocol setting (`https`), then you should configure this property to be `https://api.metadata.cloud.ibm.com`.
 
 Usage Notes:
-1. At most one of `iamProfileCrn` or `iamProfileId` may be specified.  The specified value must map
+1. At most one of `iamProfileCrn` or `iamProfileId` may be specified. The specified value must map
 to a trusted IAM profile that has been linked to the compute resource (virtual server instance).
 
 2. If both `iamProfileCrn` and `iamProfileId` are specified, then an error occurs.
@@ -413,11 +538,11 @@ const service = ExampleServiceV1.newInstance(options);
 ```
 
 
-##  Cloud Pak for Data Authentication
+## Cloud Pak for Data Authentication
 The `CloudPakForDataAuthenticator` will accept a user-supplied username value, along with either a
 password or apikey, and will
 perform the necessary interactions with the Cloud Pak for Data token service to obtain a suitable
-bearer token.  The authenticator will also obtain a new bearer token when the current token expires.
+bearer token. The authenticator will also obtain a new bearer token when the current token expires.
 The bearer token is then added to each outbound request in the `Authorization` header in the
 form:
 ```
@@ -436,7 +561,7 @@ Exactly one of password or apikey should be specified.
 - url: (required) The URL representing the Cloud Pak for Data token service endpoint's base URL string.
 This value should not include the `/v1/authorize` path portion.
 
-- disableSslVerification: (optional) A flag that indicates whether verificaton of the server's SSL
+- disableSslVerification: (optional) A flag that indicates whether verification of the server's SSL
 certificate should be disabled or not. The default value is `false`.
 
 - headers: (optional) A set of key/value pairs that will be sent as HTTP headers in requests
@@ -505,7 +630,7 @@ form:
 - url: (required) The URL representing the MCSP token service endpoint's base URL string. Do not include the
 operation path (e.g. `/siusermgr/api/1.0/apikeys/token`) as part of this property's value.
 
-- disableSSLVerification: (optional) A flag that indicates whether verificaton of the server's SSL
+- disableSSLVerification: (optional) A flag that indicates whether verification of the server's SSL
 certificate should be disabled or not. The default value is `false`.
 
 - headers: (optional) A set of key/value pairs that will be sent as HTTP headers in requests

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [5.1.0](https://github.com/IBM/node-sdk-core/compare/v5.0.2...v5.1.0) (2024-10-15)
+
+
+### Features
+
+* **IamAssumeAuthenticator:** add new authentication type for iam assume ([#287](https://github.com/IBM/node-sdk-core/issues/287)) ([addebfc](https://github.com/IBM/node-sdk-core/commit/addebfca36f0b45a1e4df18605984a66073413bb))
+
 ## [5.0.2](https://github.com/IBM/node-sdk-core/compare/v5.0.1...v5.0.2) (2024-09-03)
 
 

package/README.md

@@ -30,7 +30,8 @@ class YourSDK extends BaseService { ... }
 The node-sdk-core project supports the following types of authentication:
 - Basic Authentication
 - Bearer Token Authentication
-- Identity and Access Management (IAM) Authentication
+- Identity and Access Management (IAM) Authentication (grant type: apikey)
+- Identity and Access Management (IAM) Authentication (grant type: assume)
 - Container Authentication
 - VPC Instance Authentication
 - Cloud Pak for Data Authentication
@@ -79,7 +80,7 @@ To see the output from all of the debugging levels you can use:
 
 ``DEBUG=ibm-cloud-sdk-core*``
 
-The debug logger can be configured to be used for more than one library. In example, you can set a comma-separated string:
+The debug logger can be configured to be used for more than one library. For example, you can set a comma-separated string:
 
 ``DEBUG=ibm-cloud-sdk-core:debug,other-lib:debug``
 

package/auth/authenticators/authenticator.d.ts

@@ -25,6 +25,7 @@ export declare class Authenticator implements AuthenticatorInterface {
     static AUTHTYPE_BASIC: string;
     static AUTHTYPE_BEARERTOKEN: string;
     static AUTHTYPE_IAM: string;
+    static AUTHTYPE_IAM_ASSUME: string;
     static AUTHTYPE_CONTAINER: string;
     static AUTHTYPE_CP4D: string;
     static AUTHTYPE_NOAUTH: string;

package/auth/authenticators/authenticator.js

@@ -47,6 +47,7 @@ var Authenticator = /** @class */ (function () {
     Authenticator.AUTHTYPE_BASIC = 'basic';
     Authenticator.AUTHTYPE_BEARERTOKEN = 'bearerToken';
     Authenticator.AUTHTYPE_IAM = 'iam';
+    Authenticator.AUTHTYPE_IAM_ASSUME = 'iamAssume';
     Authenticator.AUTHTYPE_CONTAINER = 'container';
     Authenticator.AUTHTYPE_CP4D = 'cp4d';
     Authenticator.AUTHTYPE_NOAUTH = 'noAuth';

package/auth/authenticators/container-authenticator.d.ts

@@ -81,4 +81,10 @@ export declare class ContainerAuthenticator extends IamRequestBasedAuthenticator
      * @returns a string that indicates the authenticator's type
      */
     authenticationType(): string;
+    /**
+     * Return the most recently stored refresh token.
+     *
+     * @returns the refresh token string
+     */
+    getRefreshToken(): string;
 }

package/auth/authenticators/container-authenticator.js

@@ -113,6 +113,14 @@ var ContainerAuthenticator = /** @class */ (function (_super) {
     ContainerAuthenticator.prototype.authenticationType = function () {
         return authenticator_1.Authenticator.AUTHTYPE_CONTAINER;
     };
+    /**
+     * Return the most recently stored refresh token.
+     *
+     * @returns the refresh token string
+     */
+    ContainerAuthenticator.prototype.getRefreshToken = function () {
+        return this.tokenManager.getRefreshToken();
+    };
     return ContainerAuthenticator;
 }(iam_request_based_authenticator_1.IamRequestBasedAuthenticator));
 exports.ContainerAuthenticator = ContainerAuthenticator;