Skip to content

Instantly share code, notes, and snippets.

@asciimike
Created September 14, 2018 18:43
Show Gist options
  • Save asciimike/4a01a380778f7d48f00754d718651cdc to your computer and use it in GitHub Desktop.
Save asciimike/4a01a380778f7d48f00754d718651cdc to your computer and use it in GitHub Desktop.
Create a Google-signed JWT with the audience set to a particular URL
### Step 0: Configure FUNCTION_URL and SERVICE_ACCOUNT as needed
OAUTH_ENDPOINT="https://www.googleapis.com/oauth2/v4/token"
FUNCTION_URL="..."
SERVICE_ACCOUNT="..."
### Step 1: Generate JWT payload
cat <<EOF > input.json
{
"iat": $(date +%s),
"exp": $(($(date +%s) + 3600)),
"iss": "$SERVICE_ACCOUNT",
"aud": "$OAUTH_ENDPOINT",
"target_audience": "$FUNCTION_URL"
}
EOF
### Step 2: Self-sign JWT payload
gcloud beta iam service-accounts sign-jwt \
--iam-account $SERVICE_ACCOUNT \
input.json \
self-signed.jwt
### Step 3: Generate form data for OAuth grant
cat <<EOF > form.txt
assertion=$(cat self-signed.jwt)&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
EOF
### Step 4: Exchange self-signed JWT for Google-signed JWT
curl \
-X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "@form.txt" \
$OAUTH_ENDPOINT \
| jq '.id_token' -r \
> google.jwt
### Step 5: Call function with Google-signed JWT
curl \
-H "Authorization: bearer $(cat google.jwt)" \
$FUNCTION_URL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment