Policies

Upstream GCP Self-Signed JWT Policy

This policy adds a JWT token to the headers, ready for us in an outgoing request when calling a GCP service (e.g. Cloud Endpoints / ESPv2). We recommend reading the serviceAccountJson from environment variables (so it is not checked in to source control) using the $env(ENV_VAR) syntax.

CAUTION: This policy only works with certain Google APIs. In most cases, the Upstream GCP Service Auth should be used.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

{
  "name": "my-upstream-gcp-jwt-inbound-policy",
  "policyType": "upstream-gcp-jwt-inbound",
  "handler": {
    "export": "UpstreamGcpJwtInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "audience": "your_gcp_service.endpoint.com",
      "serviceAccountJson": "$env(SERVICE_ACCOUNT_JSON)"
    }
  }
}

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • audience <string> (Required) -
    The audience for the minted JWT. See the document AuthRequirement for details.
  • serviceAccountJson <string> (Required) -
    The Google Service Account key in JSON format. Note you can load this from environment variables using the $env(ENV_VAR) syntax.

Using the Policy

Read more about how policies work

Previous
Upstream GCP Federated Auth
Next
Upstream Firebase Admin Auth