Good day,
I’ve been trying to access my cloud run instance via a global external load balancer secured with IAP. Without IAP, I am able to access it using my personal identity token that I obtain via gcloud. I made a service account and gave it IAM access to invoke that specific cloud run service. I then followed this documentation: https://cloud.google.com/iap/docs/authentication-howto#signing_the_jwt, using a service account credential JSON file. I altered the code a bit for it to compile (datetime to be a timestamp, and json.dump removed to keep it as a dict for jwt.encode function).
I am now getting the following error code:
Invalid IAP credentials: An internal server error occurred while authorizing your request. Please reference
https://cloud.google.com/iap/docs/faq. Error code 61
The FAQ docs does not have that error listed anywhere (at least from what I can see). I am not sure where things are going south. Any assistance would be greatly appreciated!
Code used for reference:
def generate_jwt_payload(service_account_email, resource_url):
"""Generates JWT payload for service account.
The resource url provided must be the same as the url of the IAP secured resource.
Args:
service_account_email (str): Specifies service account JWT is created for.
resource_url (str): Specifies scope of the JWT, the URL that the JWT will be allowed to access.
Returns:
A signed-jwt that can be used to access IAP protected applications.
Access the application with the JWT in the Authorization Header.
curl --verbose --header 'Authorization: Bearer SIGNED_JWT' URL
"""
iat = round(datetime.datetime.now().timestamp())
exp = iat + 3600
return {
'iss': service_account_email,
'sub': service_account_email,
'aud': resource_url,
'iat': iat,
'exp': exp,
}
def sign_jwt_with_key_file(credential_key_file_path, resource_url):
"""Signs JWT payload using local service account credential key file.
Args:
credential_key_file_path (str): Path to the downloaded JSON credentials of the service
account the JWT is being created for.
resource_url (str): Scope of JWT token, This is the url of the IAP protected application.
Returns:
A service account JWT created with a downloaded private key.
"""
with open(credential_key_file_path, 'r') as credential_key_file:
key_data = json.load(credential_key_file)
PRIVATE_KEY_ID_FROM_JSON = key_data["private_key_id"]
PRIVATE_KEY_FROM_JSON = key_data["private_key"]
SERVICE_ACCOUNT_EMAIL = key_data["client_email"]
# Sign JWT with private key and store key id in the header
additional_headers = {'kid': PRIVATE_KEY_ID_FROM_JSON}
payload = generate_jwt_payload(service_account_email=SERVICE_ACCOUNT_EMAIL, resource_url=resource_url)
signed_jwt = jwt.encode(
payload=payload,
key=PRIVATE_KEY_FROM_JSON,
headers=additional_headers,
algorithm='RS256'
)
return signed_jwt