Upstream GCP Service Auth
This policy allows you to delegate authentication and authorization to your gateway without writing any code on your origin service by adding a GCP Issued ID Token to outgoing header allowing the service to be secured with GCP IAM. This is a useful means of securing your origin server so that only your Zuplo gateway can make requests against it.
We recommend reading the
serviceAccountJson from environment variables (so it
is not checked in to source control) using the
The configuration shows how to configure the policy in the 'policies.json' document.
Using the Policy
This policy requires a Google Service Account and key that will be used to identify the Zuplo API Gateway. Once this policy is configured you will need to configure your GCP backend to only accept authenticated requests.
Create the GCP Service Account
The first thing you will need to do to use this policy is
create a service account.
You should create a unique service account for your Zuplo Gateway (i.e.
Give the account permission to call any services you want to proxy with Zuplo.
Next, you will need to create the Service Account key (using the JSON format). The json file will download.
Next, in your Zuplo project, set the
SERVICE_ACCOUNT_JSON environment variable
as a secret with the value of the downloaded JSON document.
The value of the private key is a JSON file. Before you save the file to
Zuplo's environment variables, you must remove all line breaks and all
instances of the
\n escape character. The JSON file should be a single line.
Configure the Policy
When using this policy, you need to set the
audience to the appropriate value
depending on the service you are using.
For backend's secured with Identity Aware Proxy, the value for
be the Client ID of your OAuth application.
For backend's using Cloud Run IAM , the value for
audience should be the full
URL of the Cloud Run instance.
Read more about how policies work