IAP from Service account OIDC Token : 401 Unauthorized

Question

Hello, in a sh script i try to call an api in App Engine Standard (with a POST) behind an IAP. I use a service account who have the "IAP-secured Web App user" permission. The service account is from an another account that the IAP.

I first generate an OpenId connect :

OIDC_token_response=$(curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer "$(gcloud auth print-access-token) \
        -H "Accept: application/json" \
        --data '{"audience":"{CLIENT_ID_IAP","includeEmail":true}' \
        -s --write-out "HTTP_CODE:%{http_code}" \
https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${MY_SERVICE_ACCOUNT:generateIdToken)

Then i use the token :

api_response=$(curl -X POST -H "Authorization: Bearer "${OIDC_token} -s --write-out "HTTP_CODE:%{http_code}" https://{MY-APP}.appspot.com/my-api/)

The answer is :

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>401 Unauthorized</title>
<h1>Unauthorized</h1>
<p>Unauthorized</p>
HTTP_CODE:401

Any idea ?

Regards

Answer 1

The error was not at the IAP Level : the 401 error was returned by the app engine application. The IAP connection is OK. Sorry for this post.