Google Service Account Authentication to IAP-protected API

I am trying to Authorize a Google Service Account from my REST API resource to an IAP-protected API.

I already provided the Service Account Key from GCP and provided OAuth Scopes of https://www.googleapis.com/auth/cloud-platform based on the documentation here OAuth 2.0 Scopes for Google APIs  |  Authorization  |  Google for Developers

image

I'm currently getting this error when using the REST API. Could it probably that the token generated by retool is not a OIDC token which is expected by IAP.
image

Do I also need to provide headers when using Google Service Account? Like is there a specific magic string for it? For OAuth 2.0 flow I'm using Bearer OAUTH2_ID_TOKEN

image

Note: OAuth 2.0 workflow works fine but I want to use the Service account so that users don't have to authorize retool every time they access the application.

Thanks!

Hello @bmichael!

Totally understand your use case for wanting to use a Service account. I was looking around the forms and found this post related to both setting up the connection to Google Service Accounts and using JWTs to avoid errors for this process.

Justin at the top responds with some resources related to JWTs and a couple comments down, Joe shared an app which demos the setup but just needs you to fill in the fields he specified.

Let me know if this helps!