These samples are used on the following documentation pages:
- https://cloud.google.com/iap/docs/authentication-howto
- https://cloud.google.com/iap/docs/signed-headers-howto
- Add the contents of this directory's
requirements.txt
file to the one inside your application. - Copy
make_iap_request.py
into your application.
- Follow the instructions
in
Installing a third-party library to
install the
google-auth
andrequests
libraries into your application. - Copy
make_iap_request.py
into the same folder as app.yaml .
- Enable the IAM API on your project.
- Create a VM with the IAM scope:
gcloud compute instances create INSTANCE_NAME --scopes=https://www.googleapis.com/auth/iam
- Give your VM's default service account the
Service Account Actor
role:gcloud projects add-iam-policy-binding PROJECT_ID --role=roles/iam.serviceAccountActor --member=serviceAccount:SERVICE_ACCOUNT
- Install the libraries listed in
requirements.txt
, e.g. by running:virtualenv/bin/pip install -r requirements.txt
- Copy
make_iap_request.py
into your application.
- Create a service account and download its private key. See https://cloud.google.com/iam/docs/creating-managing-service-account-keys for more information on how to do this.
- Set the environment variable
GOOGLE_APPLICATION_CREDENTIALS
to the path to your service account's.json
file. - Install the libraries listed in
requirements.txt
, e.g. by running:virtualenv/bin/pip install -r requirements.txt
- Copy
make_iap_request.py
into your application.
If you prefer to manage service account credentials manually, this method can also be used in the App Engine flexible environment, Compute Engine, and Container Engine. Note that this may be less secure, as anyone who obtains the service account private key can impersonate that account!
validate_jwt
is not compatible with App Engine standard environment;
use App Engine's Users API instead. (See app_engine_app
for an example
of how to do this.)
For all other environments:
- Install the libraries listed in
requirements.txt
, e.g. by running:virtualenv/bin/pip install -r requirements.txt
- Copy
validate_jwt.py
into your application.
- Deploy
app_engine_app
to a project. - Enable Identity-Aware Proxy on that project's App Engine app.
- Add the service account you'll be running the test as to the Identity-Aware Proxy access list for the project.
- Update iap_test.py with the hostname for your project.
- Run the command:
GOOGLE_CLOUD_PROJECT=project-id pytest iap_test.py