We've built several services using Cloud Run. Our goal is to build an internal CLI that allows our developers to make calls to these services. We're having trouble generating an id_token
to use with the Identity Aware Proxy that sits in front of Cloud Run services.
According to the docs, making calls to your Cloud Run services can be accomplished by using gcloud
and the gcloud auth print-identity-token
command. This works great. This also avoids having to download and pass around service account credentials to our developers as this method leverages your application default credentials.
We've tried implementing something to replicate this print-identity-token
functionality in Go with no luck. The id_token
generated returns 401's to all of our Cloud Run API's. Example code for generating the token:
func GetIDToken() string {
ctx := context.Background()
tokenSource, err := google.DefaultTokenSource(ctx, "openid", "email")
if err != nil {
log.Fatal(err)
}
token, err := tokenSource.Token()
if err != nil {
log.Fatal(err)
}
return fmt.Sprintf("%v", token.Extra("id_token"))
}
This returns an id_token
but it doesn't work with the API's. The scopes seem to be correct according to the docs.
This leaves us with two questions:
- Is this the correct approach for generating an Id token for the IAP?
- Is there a better way to implement the authentication for our developers to these internal API's?
audience
parameter you're providing is not the url of the Cloud Run service. Also do you havegcloud
present in your environment? Why are you trying to re-implementgcloud print-identity-token
? – ahmet alp balkan