Created
September 14, 2018 18:43
-
-
Save asciimike/4a01a380778f7d48f00754d718651cdc to your computer and use it in GitHub Desktop.
Create a Google-signed JWT with the audience set to a particular URL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Step 0: Configure FUNCTION_URL and SERVICE_ACCOUNT as needed | |
| OAUTH_ENDPOINT="https://www.googleapis.com/oauth2/v4/token" | |
| FUNCTION_URL="..." | |
| SERVICE_ACCOUNT="..." | |
| ### Step 1: Generate JWT payload | |
| cat <<EOF > input.json | |
| { | |
| "iat": $(date +%s), | |
| "exp": $(($(date +%s) + 3600)), | |
| "iss": "$SERVICE_ACCOUNT", | |
| "aud": "$OAUTH_ENDPOINT", | |
| "target_audience": "$FUNCTION_URL" | |
| } | |
| EOF | |
| ### Step 2: Self-sign JWT payload | |
| gcloud beta iam service-accounts sign-jwt \ | |
| --iam-account $SERVICE_ACCOUNT \ | |
| input.json \ | |
| self-signed.jwt | |
| ### Step 3: Generate form data for OAuth grant | |
| cat <<EOF > form.txt | |
| assertion=$(cat self-signed.jwt)&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer | |
| EOF | |
| ### Step 4: Exchange self-signed JWT for Google-signed JWT | |
| curl \ | |
| -X POST \ | |
| -H "Content-Type: application/x-www-form-urlencoded" \ | |
| -d "@form.txt" \ | |
| $OAUTH_ENDPOINT \ | |
| | jq '.id_token' -r \ | |
| > google.jwt | |
| ### Step 5: Call function with Google-signed JWT | |
| curl \ | |
| -H "Authorization: bearer $(cat google.jwt)" \ | |
| $FUNCTION_URL |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment