Skip to main content

Upstream GCP Service Auth Policy

This policy adds an GCP Issued ID Token to outgoing header allowing the service to be secured with GCP IAM. This is a useful means of securing your origin server so that only your Zuplo gateway can make requests against it.

We recommend reading the serviceAccountJson from environment variables (so it is not checked in to source control) using the $env(ENV_VAR) syntax.

Using this policy allows you to delegate authentication and authorization to your gateway without writing any code on your origin service. For instructions on how to configure GCP service to service authentication see Google's documentation.


"name": "my-upstream-gcp-service-auth-inbound-policy",
"policyType": "upstream-gcp-service-auth-inbound",
"handler": {
"export": "UpstreamGcpServiceAuthInboundPolicy",
"module": "$import(@zuplo/runtime)",
"options": {
"audience": "",
"serviceAccountJson": "$env(SERVICE_ACCOUNT_JSON)"
  • name the name of your policy instance. This is used as a reference in your routes.
  • policyType the identifier of the policy. This is used by the Zuplo UI. Value should be upstream-gcp-service-auth-inbound.
  • handler/export The name of the exported type. Value should be UpstreamGcpServiceAuthInboundPolicy.
  • handler/module the module containing the policy. Value should be $import(@zuplo/runtime).
  • handler/options The options for this policy:
    • audience

      The audience for the service to be called. This is typically the URL of your service endpoint like ''

    • serviceAccountJson

      The Google Service Account key in JSON format. Note you can load this from environment variables using the $env(ENV_VAR) syntax.

    • tokenRetries

      The number of times to retry fetching the token in the event of a failure. Defaults to 3.

    • expirationOffsetSeconds

      The number of seconds less than the token expiration to cache the token. Defaults to 300 seconds.

Read more about how policies work