iapclient is a library to facilitate programmatic service-account authentication to endpoints protected by Google Cloud Platform's Identity Aware Proxy
See the ./examples directory for how to use this.
Before using:
- Set permissions "appropriately"
- roles/iam.serviceAccountTokenCreator on the Service Account's own Service Account (yes, really - it's required for signBlob to work)
- roles/iap.httpsResourceAccessor on the target project where the IAP-protected resource is
- Collect the target URI and Client ID
In summary, iapclient.NewIAP
returns an http.RoundTripper
that can be set
as your http.Client
's transport:
iap, err := iapclient.NewIAP("client-id", nil)
if err != nil {
log.Fatalf("Failed to create new IAP object: %v", err)
}
httpClient := &http.Client{
Transport: iap,
}
req, err := http.NewRequest("GET", "some uri", nil)
...
IAP-protected resources use a weird OAuth flow that's extremely fluid for web-browser based human clients, but quite awkward to authenticate to as a service account.
The upstream documentation for this process is Authentication Howto
The high-level summary is:
- Create a custom JWT with fields
exp
- Epoch time 1 hour in the futureaud
-https://www.googleapis.com/oauth2/v4/token
iss
- Service Account email (get from JSON or metadata service)iat
- Current epoch timetarget_audience
- IAP OAuth ClientID (must be gotten manually)
- Use the projects.serviceAccounts.signJwt method to have Google sign the JWT as your service account. This is done instead of using the private key because Application Default Authentication does not have the private key unless a JSON file is in use, and implementing both seemed silly.
- Do a POST to the OAuth Token URI (
https://www.googleapis.com/oauth2/v4/token
) Body should have the following fields:assertion
- the signed JWT gotten back fromsignJwt
grant_type
-urn:ietf:params:oauth:grant-type:jwt-bearer
- Use the returned string for authentication by adding
Authorization: Bearer <string>
to the IAP-directed request