How can I access an IAP protected resource using Python?

About

Asked 12/2, 2018 at 15:28 Answered 16/2, 2018 at 11:41

python google-app-engine google-cloud-platform google-iap

How can I access an IAP protected resource using Python? More specifically I'd like to generate the Bearer token needed in the Authorization header to make calls to the IAP protected resource.

I have created a service account, given it "IAP-Secured Webapp User" permissions and have downloaded its JSON credentials to disk.

Boccie answered 12/2, 2018 at 15:28 Comment(0)

Since you have created a service account for authentication, you can use an OIDC token for authentication into IAP-secured resources.

The steps to obtain and use the token for authentication are shown here, but here is a little summary:

Head to the Cloud IAP page in the console and edit the OAuth client of the resource you wish to access to.
With the client ID you get from the Credentials page, request an OIDC token.
Include the OIDC token in the Authorization: Bearer header, and that way you will have an authenticated request to the IAP-protected resource.

Embolus answered 16/2, 2018 at 11:41 Comment(6)

Thanks Rodrigo. Could you provide me with a Python code sample? I've tried getting this to work myself but failed. – Boccie 16/2, 2018 at 11:55

There are some samples available in this link, and clone this repository into your local machine: git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git. Go to the iap directory and follow the instructions indicated in the link above. If you want a more specific code, you can try this one – Embolus 16/2, 2018 at 12:1

I've had a look at github.com/GoogleCloudPlatform/python-docs-samples/blob/master/… previously. In my case I have a downloaded JSON credentials. You don't happen to know which changes I need to make to make github.com/GoogleCloudPlatform/python-docs-samples/blob/master/… work with the JSON file? The API is rather messy for a beginner... – Boccie 16/2, 2018 at 13:4

Please see gist.github.com/JensRantil/a3cc32c80c3594844009c55ff9233591/…. Let me know if you have any input. – Boccie 16/2, 2018 at 13:32

Since you are using JSON credentials, I understand that you require a JSON web token (JWT). In this link you can find all the steps for securing your app. Be aware this is valid for apps in a flexible environment. For a standard environment, you will have to use the approach indicated [here] (cloud.google.com/iap/docs/identity-howto#get_identity_gae), which involves using the Users API. – Embolus 16/2, 2018 at 14:57

What if I need to use an user account instead of a SA ? – Dwinnell 17/9, 2021 at 13:30

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags