You can use Workflows to invoke an endpoint for which Identity-Aware Proxy (IAP) has been enabled. The endpoint can be an on‑premises, Compute Engine, Google Kubernetes Engine (GKE), or other Google Cloud endpoint.
IAP verifies identity and enforces authorization at the application level, so you can use an application-level access control model instead of relying on network-level firewalls. When an application or resource is protected by IAP, it can only be accessed through the proxy by principals who have the correct Identity and Access Management (IAM) role.
For more information, see the IAP overview and the following guides:
- Enable IAP for App Engine
- Enable IAP for Cloud Run
- Enable IAP for Compute Engine
- Enable IAP for GKE
- Enable IAP for on‑premises apps
Make an HTTP request
Calling or invoking an endpoint from Workflows is done through an
HTTP request. The most common HTTP request methods have a call shortcut (such as
http.get and
http.post), but you can make any
type of HTTP request by setting the call field to http.request and
specifying the type of request using the method field. For more information,
see Make an HTTP request.
Use a service account with the required permissions
When making requests to other Google Cloud services, your workflow must be associated with a service account that has been granted one or more Identity and Access Management (IAM) roles containing the required permissions to access the requested resources. To learn what service account is associated with an existing workflow, see Verify a workflow's associated service account.
When setting up a service account, you associate the requesting identity with the resource you want to give it access to—you make the requesting identity a principal, or user, of the resource—and then assign it the appropriate role. The role defines what permissions the identity has in the context of the resource. When an application or resource is protected by IAP, it can only be accessed through the proxy by principals who have the correct role.
For example, after authentication, IAP applies the relevant
allow policy to check if the principal is authorized to access the requested
resource. If the principal has the IAP-secured Web App User role
(roles/iap.httpsResourceAccessor) on the Google Cloud console project
where the resource exists, they're authorized to access the application.
You can configure access to your IAP-secured resource through the IAP page by adding the Workflows service account as a principal. For more information, see Managing access to IAP-secured resources.
Add authentication information to your workflow
By default, HTTP requests don't contain identity or access tokens for security reasons. You must explicitly add authentication information to your workflow definition. When making requests to an endpoint, use OIDC to authenticate through IAP.
To make an HTTP request using OIDC, add an auth section to the args section
of your workflow's definition, after you specify the URL.
YAML
- step_A: call: http.get args: url: https://www.example.com/endpoint body: someValue: "Hello World" anotherValue: 123 auth: type: OIDC audience: OIDC_AUDIENCE
JSON
[ { "step_A": { "call": "http.get", "args": { "url": "https://www.example.com/endpoint", "body": { "someValue": "Hello World", "anotherValue": 123 }, "auth": { "type": "OIDC", "audience": "OIDC_AUDIENCE" } } } } ]
You can use the audience parameter to specify the OIDC audience for the token.
When invoking an IAP-enabled endpoint, you must specify the
OAuth 2.0 client ID that you have configured for your application. This can be
obtained from the Credentials page.
What's next
- Grant a workflow permission to access Google Cloud resources
- Access HTTP response data saved in a variable
- Invoke a private endpoint using Service Directory's service registry