I want to call my backend service 'azhbackend' from my web application 'azhverwaltung' within google cloud run environment.

Both services have service accounts in Google cloud. Azhbackend requires authentication. Azhverwaltung uses google-auth-library to create authorization header:

    const auth = new GoogleAuth({
      keyFile: path.join(process.cwd(), '/certificates/xxx.json'), 
    });
    const client = await auth.getIdTokenClient(
      '[email protected]' 
    );
    const headers = await client.getRequestHeaders();

This header contains the keyword 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6I...' and is provided when calling the backend service. The backend service responses with status 401 before any application code is executed.

The documentation about how to get an idtoken for a service-2-service call is confusing. Event Gemini provides wrong or outdated information. Did anybody solve a problem like this? How did you generate the idtoken?

see above code examples

I want to call my backend service 'azhbackend' from my web application 'azhverwaltung' within google cloud run environment.

Both services have service accounts in Google cloud. Azhbackend requires authentication. Azhverwaltung uses google-auth-library to create authorization header:

    const auth = new GoogleAuth({
      keyFile: path.join(process.cwd(), '/certificates/xxx.json'), 
    });
    const client = await auth.getIdTokenClient(
      '[email protected]' 
    );
    const headers = await client.getRequestHeaders();

This header contains the keyword 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6I...' and is provided when calling the backend service. The backend service responses with status 401 before any application code is executed.

The documentation about how to get an idtoken for a service-2-service call is confusing. Event Gemini provides wrong or outdated information. Did anybody solve a problem like this? How did you generate the idtoken?

see above code examples

• google-cloud-platform
• cloud
• communication
• internals

• Firstly, if it's service to service, you do not need service account key file (and it's a bad security practice, please, avoid it!). Then, you should add the audience when you create your Id Token – guillaume blaquiere Commented Mar 19 at 12:59
• The http response probably has a body telling you why the authorization was denied (missing IAM permissions, invalid token, wrong audience,...), and as guillaume says it's weird that you are loading credentials from a json file. – somethingsomething Commented Mar 19 at 16:07
• @guillaumeblaquiere What do you mean by 'add the audience'? – Berthold Kröger Commented Mar 19 at 16:26

1 Answer 1

With some help from the commenters I found the solution for my question.

First, I analyzed the status 401 error in more detail. It said 'www-authenticate': 'Bearer error="invalid_token" error_description="The access token could not be verified"'.

Second, I decoded the JSON web token returned from the call to 'idTokenClient.getRequestHeaders()'. It showed me my error: I provided the url of the backend gservice.account instead of the url of the service itself. That was my fault.