3

I need to cURL a web app hosted behind IAP on GCP.

Normally, users log in through IAP and use the web app, but I need to run some cURL commands (interactive and non-interactive) that hit the web app URLs (for example: https://myapp.com/get_pics/1)

I cannot figure out how to get a Bearer token from GCP that I can use in the authorization header for cURL.

I can set up a service account with "IAP Secured Web App User" role and I have the JSON key for this service account, but I am not sure where to go after that to get a proper Bearer token that IAP will accept.

sts
  • 115
  • 2
  • 16
  • I think that this information about [genarate the authentication](https://cloud.google.com/iap/docs/programmatic-oauth-clients#service_accounts_and_gcloud) can be useful. – Nadia Espinosa Oct 15 '21 at 20:35
  • @NadiaEspinosa - Your link is for creating an Access Token. In this question, an Identity Token is required. – John Hanley Oct 15 '21 at 21:32
  • 1
    In your case, you need an OIDC Identity Token. Is the identity a user or service account? While developing use the CLI to generate this token: **gcloud auth print-identity-token** https://cloud.google.com/sdk/gcloud/reference/auth/print-identity-token Also specify the services that you are using. There is a parameter for **aud** (--audiences) which is the URL for the service. Tip: use Python instead of Curl. You will have a much easier time creating OAuth/OIDC tokens. – John Hanley Oct 15 '21 at 21:36
  • The identity is a service account. The token is for an iOS client hitting a REST API behind IAP. Short lived tokens are a bummer since it's just testing against an IAP protected API. Python isn't much help. It's a use case GCP hasn't considered. The developer is third party so we're not giving gcloud to them ergo the service account idea. – sts Oct 16 '21 at 21:22
  • @sts Since this case has been open for 3 months now, I would like to know if you found a way to solve your issue. – Ismael Clemente Aguirre Jan 14 '22 at 17:16
  • Nope. We punted. – sts Jan 15 '22 at 18:09

2 Answers2

1

I cannot figure out how to get a Bearer token from GCP that I can use in the authorization header for cURL.

According with the Google Public Documentation

If your application occupies the Authorization request header, you can include the ID token in a Proxy-Authorization: Bearer header instead. If a valid ID token is found in a Proxy-Authorization header, IAP authorizes the request with it. After authorizing the request, IAP passes the Authorization header to your application without processing the content.

If no valid ID token is found in the Proxy-Authorization header, IAP continues to process the Authorization header and strips the Proxy-Authorization header before passing the request to your application.

Bearer Token OIDC

This document also includes code samples to:

And in this link you can find more information about Verify Bearer Token in GCP

Bearer Token Auth

After some research I found two pages that describe How to provide your service account authentication as a Bearer token and How to send Curl POST request with Bearer Token Authorization Header.

The first one is part of the Google Developers public documentation, and describes the process to obtain a Bearer token with your service account.

  1. Install the gcloud command line tool.

  2. Authenticate to your service account. In the following command, replace ${KEY_FILE} with the path to your service account key file:

    gcloud auth activate-service-account
    --key-file ${KEY_FILE}
    
  3. Use your service account to obtain an authorization token:

    gcloud auth print-access-token 
    

    The command returns an access token value.

When you use the API, pass the token value as a Bearer token in an Authorization header. See the following example:

    curl -X GET -H "X-Goog-User-Project: ${CLIENT_PROJECT}" \  
    -H "Content-Type: application/json" \  
    -H "Authorization: Bearer ${TOKEN}" \ 
"https://sasportal.googleapis.com/v1alpha1/customers" 

Set ${CLIENT_PROJECT} to the ID of the Google Cloud Project from which you make the requests, and then set ${TOKEN} to the authorization token.

And in this link you will find information and examples about Curl Request With Bearer Token Authorization Header

1

For IAP you need to provide a OIDC identity token. You can use gcloud to create it for you, or use any other mean as described in Programmatic authentication.

I assume you have gcloud, so I'll show you how to use that:

  1. Login using the service account
gcloud auth activate-service-account --key-file service-account-key.json
  1. Send your request
curl -H "Authorization: Bearer $(gcloud auth print-identity-token --audiences="xxx.apps.googleusercontent.com")" https://myapp.com/get_pics/1

Make sure that you granted the service account the iap.httpsResourceAccessor-permission, or you'll still be denied.

  • Bonus: Don't use service account key files. Impersonate a service account from your current user profile.
curl -H "Authorization: Bearer $(gcloud auth print-identity-token --include-email --audiences="xxx.apps.googleusercontent.com" --impersonate-service-account=service_account@project.iam.gserviceaccount.com)" https://myapp.com/get_pics/1