Application type users authenticating to GCP

Question

I'm looking for a standard Oauth2.0 approach for the service type users authenticating to APIs hosted in GCP environment with secrets. The closest I got is a service accounts with key pairs.

However I would like to avoid updating ESP config each time a new service account is added (like in the example below).

 securityDefinitions:
  service-1:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "[email protected]"
    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]"
  service-2:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "[email protected]"
    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]"

    #should be possible to leave the addition of service-X to the end client without needing to update this.

EDIT: I've tried using Identity Platform and ESP config won't need updating when new users are added:

securityDefinitions:
    auth0:
        authorizationUrl: ""
        flow: "implicit"
        type: "oauth2"
        x-google-issuer: "https://securetoken.google.com/{google-project-ID}"
        x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/[email protected]"
        x-google-audiences: "{google-project-ID}"

however email/password is not an option for my case and GCP Identity Platform doesn't seem to support users with secrets, unless I'm missing something?

It would also be good to have a possibility to add custom claims against users, which would remove a need to maintain the permissions table within the API code.

Apigee has all the required functionality however seems to be an expensive over-complication for my project needs.

Answer 1

The Identity-Aware Proxy provides the functionality for my use-case. When adding the service account just set the IAP-secured Web App User and it will have access to a secured resource. google doc here