How can I setup an API Gateway to authenticate services without using service account private key file?
Service A, for instance a cloud function, with service account A wants to make API calls to an API gateway without using service account private key file. I am wondering if it is possible that service A uses its credentials to make an API call where the API Gateway can authenticate the request?
Being able to do the above, the API gateway can be configured to allow various paths to different service accounts.
Updated
This is an example of what a client code could be
def make_jwt_request(signed_jwt, url):
"""Makes an authorized request to the endpoint"""
headers = {
'Authorization': 'Bearer {}'.format(signed_jwt),
'content-type': 'application/json'
}
response = requests.get(url, headers=headers)
Also, the API Gateway definition would be something like
swagger: '2.0'
info:
title: API_ID optional-string
description: Sample API on API Gateway with a Google Cloud Functions backend
version: 1.0.0
schemes:
- https
produces:
- application/json
securityDefinitions:
google:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "service-b@example-project.iam.gserviceaccount.com"
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/service-b@example-project.iam.gserviceaccount.com"
paths:
/helloworld:
get:
summary: Hello World
operationId: hello
x-google-backend:
address: https://us-central1-example-project.cloudfunctions.net/function-b
security:
- google: []
responses:
'200':
description: A successful response
schema:
type: string