Give IAP permission to App engine standard services

[David Pomeroy]

Hello,

I have 2 services deployed in the standard app engine. These services are both

python 3.8 django projects. They share data between each other via an API interface.

With my current IAP settings, service 1 is not authorised to make requests to service 2

due to the request header not having the correct token.

What is the best way to give permissions to the services within the same App engine so that they can send API requests to each other?

I thought they would have had the permissions granted if the app engine service account

has the role of IAP-secured web app user.

Do I need to create JWT authentication tokens within the API code in each service?

I have read this guide:

https://cloud.google.com/iap/docs/signed-headers-howto

Regards

David

[Fady (Google Cloud Platform)]

I think you got the correct idea. However I am not sure if the guide here about signed headers is useful. In terms of access control, the role "IAP-secured web app" user should be sufficient. I assume that your concern here is not about authorization (access control/IAM) with IAP  but about authenticating the service account with IAP.  For a user with a Google account this usually happens through the browser. However, using the service account from App Engine requires different methods. The easiest might be "Obtaining an OIDC token for the default service account" as explained in this article.  I hope this helps.