I have an AppEngine application that is behind an IAP (identity-aware proxy), so it receives requests that are authenticated and include a JWT token. From the AppEngine application I want to make a request to the Google Sheets API. That also requires an authenticated connection, but given that I want that connection to be made under the same user that accessed the application via the IAP, does anyone know how to create a request from inside the AppEngine application that will forward the token to Google Sheets? Cannot find any information on the subject... I am using Java, so any Java pointers would be appreciated, but general/other language help is good too
...
Forwarding OAuth 2 credentials from an authenticated request (in GCP specifically)
377 views Asked by fedmest At
1
There are 1 answers
Related Questions in GOOGLE-APP-ENGINE
- Deployment through app engine, cloud sql database, problem connecting with server code, doesn't connect
- Jetty 12 idle timeout limited to 30 seconds when upgrading to Java 21 in Google App Engine Standard Environment
- Unable to deploy to GAE from Github Actions
- Migrating Google App Engine - Eclipse Java 8
- How to use Oauth in order to log‑in on .googleapis.com on almost any arbitrary endpoints domains from the web browser?
- Running gcloud app deploy and getting PERMISSION_DENIED 'compute.regions.get', despite having Owner and Compute admin permissions
- Spring security CORS configuration not working after deploying to App Engine
- Google App Engine: manual scaling with one instance suddenly created multiple instances
- gcloud.app.deploy Error Response: [13] Failed to create cloud build: invalid bucket
- gcloud.app.deploy Error Response: [13] default Cloud Build service account or user-specified service account does not have access to the bucket
- GCP Java dev_appserver Can't make API call memcache.Get in a thread that is neither the original request thread nor a thread created by ThreadManager
- How to correlate and aggregate logs in Google App Engine Python 3?
- App Engine Python3 db / ndb & eventual consistency
- How do I connect to Google Cloud mySQL from App Engine using Django-Environ?
- How to deploy my fast api with llama 2 on app engine
Related Questions in GOOGLE-CLOUD-PLATFORM
- Why do I need to wait to reaccess to Firestore database even though it has already done before?
- Unable to call datastore using GCP service account key json
- Troubleshooting Airflow Task Failures: Slack Notification Timeout
- GoogleCloud Error: Not Found The requested URL was not found on this server
- Kubernetes cluster on GCE connection refused error
- Best way to upload images to Google Cloud Storage?
- Permission 'storage.buckets.get' denied on resource (or it may not exist)
- Google Datastream errors on larger MySQL tables
- Can anyone explain the output of apache-beam streaming pipeline with Fixed Window of 60 seconds?
- Parametrizing backend in terraform on gcp
- Nonsense error using a Python Google Cloud Function
- Unable to deploy to GAE from Github Actions
- Assigned A record for Subdomain in Cloud DNS to Compute Engine VM instance but not propagated/resolved yet
- Task failure in DataprocCreateClusterOperator when i add metadata
- How can I get the long running operation with google.api_core.operations_v1.AbstractOperationsClient
Related Questions in OAUTH-2.0
- discord.py - Oauth2 - join user to guild
- Implementing Incremental consent when using both application and delegated permissions
- Verifying Google Identity OAuth2 token with Ruby
- spring security error Caused by: org.attoparser.ParseException: Exception evaluating SpringEL expression: s
- Encountering HttpError 403 and 500 When Using Google Sheets API with Service Account
- get refresh token in axios interceptor
- spring error exception with oauth2 and securityconfig
- What oauth 2.0 endpoint is used to validate a bearer token
- Not enough permissions to access API request https://api.linkedin.com/v2/me
- How to specify the client ID and redirect URI in Swagger OAuth2.0 configuration for Swagger UI?
- OAuth2 PHP change invalid_token response
- Call Databricks API from an ASP.NET Core web application
- Secure to share Access Token over public API using CORs?
- How to use Oauth in order to log‑in on .googleapis.com on almost any arbitrary endpoints domains from the web browser?
- OAuth access token attribute based reverse proxying of http ressources
Related Questions in GOOGLE-OAUTH
- Lambda endpoint for the Google OAuth callback does not recieve the access_token
- Unable to call datastore using GCP service account key json
- Google Drive Service Account gets googleapiclient.errors.HttpError: 401 "Request is missing required authentication credential" when authenticating
- If you're using the Google Oauth2 authentication method to send emails with Gmail API from *your* account, when do you need to refresh the token?
- Verifying Google Identity OAuth2 token with Ruby
- I am trying to implement authentication in django using django_cas_ng, and also provide a option for all-auth for google login
- How to Sync Google Calendar Events Using Push Notifications?
- How to use Oauth in order to log‑in on .googleapis.com on almost any arbitrary endpoints domains from the web browser?
- Main tab doesn't retain authenticated state after authenticating user in popup window using Laravel Socialite
- ASP.NET Core Google external login issue
- I don't know how to change the language of my google sign in button
- Django Allauth Bad Request Error, Error Retrieving Access Token: Invalid Grant
- Getting Oauth2 token in Rust
- https://accounts.google.com/gsi/client missing 'Access-Control-Allow-Origin' header
- Using Google OAuth in .NET Core with AWS load balancer
Related Questions in GOOGLE-CLOUD-IDENTITY-AWARE-PROXY
- Retrieve e IAP Header from R Shiny Application Deployed on GCP protected by IAP
- How can I authenticate frontend app to access IAP protected backend
- Cannot connect to GCP Compute Engine Instance - Error while connecting [4003: 'failed to connect to backend']. (Failed to connect to port 22)
- Get user's email in google cloud run application
- Google Cloud - Passing user info from IAP to Cloud Run
- Accessing IAP protected endpoint using service account via Python leads to 401 (azp/sub mismatch)
- Error retrieving IAM policy for iap tunnelinstance
- I have enabled IAP and set the firewall rule as per documentation but still I see a warning
- Managing Identity-Aware Proxy users with glcoud and/or Terraform
- Rundeck Community Version SSO with Google Accounts
- A big Problem with Cloud IAP - I need support
- GCP IAP-tunnel-agent package
- Making a request from an iap authenticated front end to a iap walled back end
- Authentication config for cloud run behind IAP
- Allow IAP on applications running on Compute Engine
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
I will describe the 2 approach proposed in the comment
This second approach is the best one (don't forget to correctly log the user request and the subsequent sheet API calls in your AppEngine app to have the end to end traceability). BUT, and it's for that you ask this question, it's impossible with the App Engine default service account.
In fact, to access to the Sheet API, you need to scope your access token with the Sheet API. Sadly, you can't do this with App Engine. You can do this with Cloud Run, Cloud Functions, Compute Engine (without the default service account, else you need an extra config to achieve this with the Compute Engine default service account). But not with App Engine.
So, you have 2 solutions:
Note: later in 2021, App Engine should be able to accept custom service account, and thus the issue should be solved