5

How can I access an IAP protected resource using Python? More specifically I'd like to generate the Bearer token needed in the Authorization header to make calls to the IAP protected resource.

I have created a service account, given it "IAP-Secured Webapp User" permissions and have downloaded its JSON credentials to disk.

eddies
  • 5,179
  • 27
  • 36
Ztyx
  • 11,411
  • 11
  • 66
  • 105

1 Answers1

0

Since you have created a service account for authentication, you can use an OIDC token for authentication into IAP-secured resources.

The steps to obtain and use the token for authentication are shown here, but here is a little summary:

  • Head to the Cloud IAP page in the console and edit the OAuth client of the resource you wish to access to.
  • With the client ID you get from the Credentials page, request an OIDC token.
  • Include the OIDC token in the Authorization: Bearer header, and that way you will have an authenticated request to the IAP-protected resource.
Rodrigo C.
  • 964
  • 4
  • 12
  • Thanks Rodrigo. Could you provide me with a Python code sample? I've tried getting this to work myself but failed. – Ztyx Feb 16 '18 at 11:55
  • There are some samples available in this [link](https://github.com/GoogleCloudPlatform/python-docs-samples/tree/master/iap), and clone this repository into your local machine: `git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git`. Go to the `iap` directory and follow the instructions indicated in the link above. If you want a more specific code, you can try [this one](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/make_iap_request.py) – Rodrigo C. Feb 16 '18 at 12:01
  • I've had a look at https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/make_iap_request.py previously. In my case I have a downloaded JSON credentials. You don't happen to know which changes I need to make to make https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/make_iap_request.py work with the JSON file? The API is rather messy for a beginner... – Ztyx Feb 16 '18 at 13:04
  • Please see https://gist.github.com/JensRantil/a3cc32c80c3594844009c55ff9233591/revisions. Let me know if you have any input. – Ztyx Feb 16 '18 at 13:32
  • Since you are using JSON credentials, I understand that you require a JSON web token (JWT). In this [link](https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers) you can find all the steps for securing your app. Be aware this is valid for apps in a flexible environment. For a standard environment, you will have to use the approach indicated [here] (https://cloud.google.com/iap/docs/identity-howto#get_identity_gae), which involves using the [Users API](https://cloud.google.com/appengine/docs/standard/#users). – Rodrigo C. Feb 16 '18 at 14:57