来自服务帐户 OIDC 令牌的 IAP:401 Unauthorized
[英]IAP from Service account OIDC Token : 401 Unauthorized
问题描述
Hello , in a sh script i try to call an api in App Engine Standard (with a POST) behind an IAP.
您好,在 sh 脚本中,我尝试在 IAP 后面的 App Engine Standard(带有 POST)中调用 api。 I use a service account who have the "IAP-secured Web App user" permission.我使用具有“IAP-secured Web App 用户”权限的服务帐户。 The service account is from an another account that the IAP.服务帐户来自 IAP 的另一个帐户。
I first generate an OpenId connect:我首先生成一个 OpenId 连接:
OIDC_token_response=$(curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
-H "Accept: application/json" \
--data '{"audience":"{CLIENT_ID_IAP","includeEmail":true}' \
-s --write-out "HTTP_CODE:%{http_code}" \
https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${MY_SERVICE_ACCOUNT:generateIdToken)
Then i use the token:然后我使用令牌:
api_response=$(curl -X POST -H "Authorization: Bearer "${OIDC_token} -s --write-out "HTTP_CODE:%{http_code}" https://{MY-APP}.appspot.com/my-api/)
The answer is:答案是:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>401 Unauthorized</title>
<h1>Unauthorized</h1>
<p>Unauthorized</p>
HTTP_CODE:401
Any idea?任何想法?
Regards问候
1 个解决方案
解决方案1
0 2020-12-14 16:47:20
The error was not at the IAP Level: the 401 error was returned by the app engine application.错误不在 IAP 级别:应用引擎应用程序返回 401 错误。 The IAP connection is OK. IAP 连接正常。 Sorry for this post.对不起这篇文章。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.