How do I Generate a Bearer Token for cURL to Get Thru IAP (GCP)?

I need to cURL a web app hosted behind IAP on GCP.

Normally, users log in through IAP and use the web app, but I need to run some cURL commands (interactive and non-interactive) that hit the web app URLs (for example: https://myapp.com/get_pics/1)

I cannot figure out how to get a Bearer token from GCP that I can use in the authorization header for cURL.

I can set up a service account with "IAP Secured Web App User" role and I have the JSON key for this service account, but I am not sure where to go after that to get a proper Bearer token that IAP will accept.

I cannot figure out how to get a Bearer token from GCP that I can use in the authorization header for cURL.

According with the Google Public Documentation

If your application occupies the Authorization request header, you can include the ID token in a Proxy-Authorization: Bearer header instead. If a valid ID token is found in a Proxy-Authorization header, IAP authorizes the request with it. After authorizing the request, IAP passes the Authorization header to your application without processing the content.

If no valid ID token is found in the Proxy-Authorization header, IAP continues to process the Authorization header and strips the Proxy-Authorization header before passing the request to your application.

Bearer Token OIDC

This document also includes code samples to:

• Obtain an OIDC token for the default service account,
• Obtaining an OIDC token from a local service account key file
• Obtaining an OIDC token in all other cases.

And in this link you can find more information about Verify Bearer Token in GCP

Bearer Token Auth

After some research I found two pages that describe How to provide your service account authentication as a Bearer token and How to send Curl POST request with Bearer Token Authorization Header.

The first one is part of the Google Developers public documentation, and describes the process to obtain a Bearer token with your service account.

1. Install the gcloud command line tool.

2. Authenticate to your service account. In the following command, replace ${KEY_FILE} with the path to your service account key file:

   gcloud auth activate-service-account
   --key-file ${KEY_FILE}
   

3. Use your service account to obtain an authorization token:

   gcloud auth print-access-token 
   

   The command returns an access token value.

When you use the API, pass the token value as a Bearer token in an Authorization header. See the following example:

    curl -X GET -H "X-Goog-User-Project: ${CLIENT_PROJECT}" \  
    -H "Content-Type: application/json" \  
    -H "Authorization: Bearer ${TOKEN}" \ 
"https://sasportal.googleapis.com/v1alpha1/customers" 

Set ${CLIENT_PROJECT} to the ID of the Google Cloud Project from which you make the requests, and then set ${TOKEN} to the authorization token.

And in this link you will find information and examples about Curl Request With Bearer Token Authorization Header

For IAP you need to provide a OIDC identity token. You can use gcloud to create it for you, or use any other mean as described in Programmatic authentication.

I assume you have gcloud, so I'll show you how to use that:

1. Login using the service account

gcloud auth activate-service-account --key-file service-account-key.json

2. Send your request

curl -H "Authorization: Bearer $(gcloud auth print-identity-token --audiences="xxx.apps.googleusercontent.com")" https://myapp.com/get_pics/1

Make sure that you granted the service account the iap.httpsResourceAccessor-permission, or you'll still be denied.

• Bonus: Don't use service account key files. Impersonate a service account from your current user profile.

curl -H "Authorization: Bearer $(gcloud auth print-identity-token --include-email --audiences="xxx.apps.googleusercontent.com" --impersonate-service-account=service_account@project.iam.gserviceaccount.com)" https://myapp.com/get_pics/1