These samples are used on the following documentation pages:
- https://cloud.google.com/iap/docs/authentication-howto
- https://cloud.google.com/iap/docs/signed-headers-howto
- Add the contents of this directory's
requirements.txtfile to the one inside your application. - Copy
make_iap_request.pyinto your application.
- Follow the instructions
in
Installing a third-party library to
install the
google-authandrequestslibraries into your application. - Copy
make_iap_request.pyinto the same folder as app.yaml .
- Click here to visit Google Cloud Platform Console and enable the IAM API on your project.
- Create a VM with the IAM scope:
gcloud compute instances create INSTANCE_NAME --scopes=https://www.googleapis.com/auth/iam - Give your VM's default service account the
Service Account Actorrole:gcloud projects add-iam-policy-binding PROJECT_ID --role=roles/iam.serviceAccountActor --member=serviceAccount:SERVICE_ACCOUNT - Install the libraries listed in
requirements.txt, e.g. by running:virtualenv/bin/pip install -r requirements.txt - Copy
make_iap_request.pyinto your application.
- Create a service account and download its private key. See https://cloud.google.com/iam/docs/creating-managing-service-account-keys for more information on how to do this.
- Set the environment variable
GOOGLE_APPLICATION_CREDENTIALSto the path to your service account's.jsonfile. - Install the libraries listed in
requirements.txt, e.g. by running:virtualenv/bin/pip install -r requirements.txt - Copy
make_iap_request.pyinto your application.
If you prefer to manage service account credentials manually, this method can also be used in the App Engine flexible environment, Compute Engine, and Kubernetes Engine. Note that this may be less secure, as anyone who obtains the service account private key can impersonate that account!
- Install the libraries listed in
requirements.txt, e.g. by running:virtualenv/bin/pip install -r requirements.txt - Copy
validate_jwt.pyinto your application.
Ensure that you are in the correct working directory: (/python-docs-samples/iap):
-
Install the libraries listed in
/python-docs-samples/iap/requirements.txt, e.g. by running:virtualenv/bin/pip install -r requirements.txt -
Call
sign_jwtin the python file. This example would create a JWT for the service account email@gmail.com to access the IAP protected application hosted at https://example.com.sign_jwt("email@gmail.com", "https://example.com") -
Use the result of the call to access your IAP protected resource programmatically:
curl --verbose --header 'Authorization: Bearer SIGNED_JWT' "https://example.com"
-
Install the libraries listed in
/python-docs-samples/iap/requirements.txt, e.g. by running:virtualenv/bin/pip install -r requirements.txt -
Create a service account and download its private key. See https://cloud.google.com/iam/docs/creating-managing-service-account-keys for more information on how to do this.
-
Call
sign_jwt_with_local_credentials_file, using the downloaded local credentials for the service account.sign_jwt_with_local_credentials_file("path/to/key/file.json", "https://example.com") -
Use the result of the call to access your IAP protected resource programmatically:
curl --verbose --header 'Authorization: Bearer SIGNED_JWT' "https://example.com"
- Deploy
app_engine_appto a project. - Enable Identity-Aware Proxy on that project's App Engine app.
- Add the service account you'll be running the test as to the Identity-Aware Proxy access list for the project.
- Update iap_test.py with the hostname for your project.
- Run the command:
GOOGLE_CLOUD_PROJECT=project-id pytest iap_test.py