How to curl to an Identity Aware Proxy protected service

on
Dec 06, 2021
in

When you have a web service behind an Identity Aware Proxy (IAP) it is pretty hard to access it via curl on the command line. In this tiny blog I will show you how you can do it.

To curl to a web service behind an Identity Aware Proxy use the following command:

OAUTH_CLIENT_ID=1234567890-j9onig1ofcgle7iogv8fceu04v8hriuv.apps.googleusercontent.com
AUTHORIZED_SA=iap-accessor@my-project.iam.gserviceaccount.com
URL=https://your-iap-protected-endpoint

ID_TOKEN=$(
   gcloud auth print-identity-token \
   --audiences  $OAUTH_CLIENT_ID \
   --include-email \
   --impersonate-service-account $AUTHORIZED_SA
)
curl --header "Authorization: Bearer $ID_TOKEN"  $URL

That is all there is to it.

It is clear that you need the role service account token creator on the service account. In turn, this service account is granted the role of https resource accessor on the back-end service.

conclusion

Through service account impersonation, you can create an id token to access an Identity Aware Proxy protected service. It would be nice, if users could directly generate the required Id token, but you cannot.

Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Share this article: Tweet this post / Post on LinkedIn