Failed to authenticate to Cloud IAP Backend from Cloud Tasks HTTP Request
I'm trying to use Cloud Tasks HTTP Requests to reach a Kubernetes endpoint behind an HTTPS Load Balancer protected by Cloud IAP.
The endpoint works using any Gsuite company account as it should be but when the Cloud Task executes this is the Cloud Audit - Data Access log (only important parts displayed)
authenticationInfo: {
}
authorizationInfo: [
0: {
permission: "iap.webServiceVersions.accessViaIAP"
resource: "projects/<PROJECT_NUMBER>/iap_web/compute/services/<SERVICE_NUMBER>/versions/bs_0"
resourceAttributes: {
service: "iap.googleapis.com"
type: "iap.googleapis.com/WebServiceVersion"
}
}
]
status: {
code: 7
message: "PERMISSION_DENIED"
}
I'm using the compute-engine service account to create the task so I've granted this account the appropriate permissions:
When I create the task I add the appropriate OIDC service account email to the http request
'oidc_token': {'service_account_email': <PROJECT_NUMBER>[email protected]}}
I also checked the Cloud Tasks HTTP Request on another endpoint and the Authentication Bearer token is present.
I really don't have any idea at this point on how to make it work. Thanks for the help
I found the problem, the OIDC needed a specific audience to work with Cloud IAP.
The audience needed is the IAP ClientID that could be found in API & Services > Credentials under the section OAuth 2.0 client IDs with a name starting with IAP.
Just as an example here is the python code to add a task that can be granted access by the Cloud IAP.
# This is the important part, the audience filed is very important!
oidc_token = {'service_account_email': <PROJECT_NUMBER>[email protected], 'audience': <PROJECT_NUMBER>-<NUMBER_GENERATED_AUTOMATICALLY_BY_IAP>.apps.googleusercontent.com}
http_request = {'http_method': 'POST', 'url': url, 'body': json.dumps(payload).encode(), 'headers': headers, 'oidc_token': oidc_token}
task['schedule_time'] = timestamp
created_task = client.create_task(parent, {'http_request': http_request})