I am not sure how did you set up your use case but I would recommend to 
follow these two tutorials [1][2]. 
The target audience of the JWT has to be the oath2 client id form the IAP.


---------------
[1]. https://www.qwiklabs.com/focuses/5562?parent=catalog
[2]. 
https://dzone.com/articles/api-authentication-with-gcp-identity-aware-proxy 



On Tuesday, March 24, 2020 at 7:29:58 PM UTC+1, Sergii Diukarev wrote:
>
> I did all the steps which you provided but still getting the error
>
> Invalid IAP credentials: JWT audience doesn't match this application 
> ('aud' claim (11115940511.apps.googleusercontent.com) doesn't match 
> expected value (
> 1111111166074-l111173bufqva1111111p0t76pfkam5.apps.googleusercontent.com))
>
> do you have any clue what that can be?
>
> On Tuesday, March 24, 2020 at 2:55:47 PM UTC+2, vladoi wrote:
>>
>>
>> Hi, 
>> According to the official documentation :
>>
>> "
>> allUsers
>> The value allUsers is a special identifier that represents anyone who is 
>> on the internet, including authenticated and unauthenticated users." [1]
>> Also when you will add "allUsers" the following warning will be posted:
>> "Adding allUsers or allAuthenticatedUsers to this resource will make it 
>> publicly accessible to anyone on the internet. If this resource contains 
>> data that should not be made public to everyone, cancel this action to 
>> prevent public access."
>>
>>
>> I would suggest to remove the allUsers member from IAP if you would like 
>> to have restricted App Engine Service. 
>> One possible solution would be to create a service account [2], create a 
>> "key.json"[3] file and download on your local computer, set the default 
>> credentials [4], add the service account as a member to IAP and select a 
>> role, and then call the App Engine service with the command you have 
>> provided.
>>
>> curl 
>> https://my-private-service-dot-project-tst-01.appspot.com/920/250314/ -H 
>> "Authorization: Bearer $(gcloud --project=hatsa-tst-01 auth 
>> print-identity-token)"
>>
>>
>> ---------
>> [1].  https://cloud.google.com/iam/docs/overview
>> [2].  
>> https://cloud.google.com/iam/docs/creating-managing-service-accounts
>> [3].  
>> https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-create-gcloud
>> [4].  https://cloud.google.com/docs/authentication/production
>>
>>  
>>
>>
>>
>>
>>
>>
>> On Monday, March 23, 2020 at 11:41:22 PM UTC+1, Sergii Diukarev wrote:
>>>
>>> Thank, you. You were right!
>>>
>>> I enable IAP and provide access for all my public services with 
>>> `allUsers` role access. But how I can call restricted service now? How do 
>>> you authenticate a request from my local computer (for example curl?)
>>>
>>> I tried something like:
>>> curl 
>>> https://my-private-service-dot-project-tst-01.appspot.com/920/250314/ 
>>> -H "Authorization: Bearer $(gcloud --project=hatsa-tst-01 auth 
>>> print-identity-token)"
>>>
>>> On Wednesday, March 18, 2020 at 2:22:51 PM UTC+2, vladoi wrote:
>>>>
>>>>
>>>> Hi,
>>>>
>>>> If you would like to protect certain "App Engine" services from outside 
>>>> invocation, I would recommend using '' Google Cloud Identity Aware Proxy'.
>>>> Identity-Aware Proxy (IAP) lets you manage who has access to services 
>>>> hosted on App Engine. 
>>>> You can turn on IAP and this will  allow only members listed in the 
>>>> permission panel to access your App Engine Services.
>>>>
>>>> [1].https://cloud.google.com/iap/docs
>>>>
>>>> On Wednesday, March 18, 2020 at 11:22:14 AM UTC+1, Serhii Diukarev 
>>>> wrote:
>>>>>
>>>>> Dear Sir/Madam,
>>>>>
>>>>> I am developing a web service(server) for my web application. After 
>>>>> looking at every amazing Google Cloud product, I am thinking of doing the 
>>>>> following to have a secure server on Google Cloud:
>>>>>
>>>>>    1. I want to be able to protect (certain) "App Engine" services 
>>>>>    from outside invocation. Add security specifications in Cloud Services 
>>>>> to 
>>>>>    allow only my app request endpoints. My app running on a node.js 
>>>>> server on 
>>>>>    Google App Engine
>>>>>    2. I want to be able to make requests from "Cloud Tasks" en "Cloud 
>>>>>    Scheduler" to 'protected' "Cloud function" AND "AppEngine" endpoints 
>>>>> from 
>>>>>    within the Google network.
>>>>>
>>>>> I looking forward to receiving your response!
>>>>>
>>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/dab92a72-675a-4936-96f6-5c44e18425bc%40googlegroups.com.

Reply via email to