Hey srivya, you can download the export of the app in my response above! You can import the GService.json file into your Retool instance and take a look. Hopefully it gives you insight into how you can achieve a similar result for Cloud Run. Let me know if you have any trouble downloading it!
Hey Joe, I do not see any export. I only see the GServiceAccount.json file. Am I missing something?
Hey srivya, that is the exported app! Retool apps are exported as JSON files. You can download that file and then create a new app in your instance by importing that JSON file as shown in the screenshot below.
Ahhh I didn't realize this is what you meant. Thanks lot Joe
I am actually having trouble calling the KJUR module. Would you know how to custom install npm modules?
Actually nvm. It worked. Thanks again Joe
Hi @joeBumbaca, jumping in this thread as I'm evaluating Retool for my company needs. All our data is exposed through a Cloud Endpoint API using IAP, so I'm obliged to authenticate with a Service account.
If we were to use the approach you suggested a few posts earlier to authenticate to all apps built on Retool, would there be a way to programmatically rotate the service account private key in case we would revoke them automatically? Or would we need to do that manually? I'm asking because in case of having multiple apps, that would represent a) manual work (eew) b) possible downtime from the apps while we replace the keys.
Or is there perhaps a better way to arrange this integration?
Hi Marta, unfortunately right now I don't believe that there is a better way to arrange this integration. This happens to be a fairly manual process (eew, I know). You could create a global JS function that would give you access to the new service account key in each app, and would only have to change it in 1 place. But again that would still need to be done manually, when the key switches.
I just want to confirm, this is the only way to work with CloudFunctions? Meaning the Google OAUTH 2 from the Authentication on a Retool Resource won't solve for this?
1 Like
Hey wmoore, this is only an issue if you are trying to use a service account.
Got it, so I am NOT doing a service account; doing a user auth -- it authorizes right and I get the tokens but still doesn't work
I checked permissions in IAM too
Error: Forbidden
Your client does not have permission to get URL
Hey wmoore, this may be more suited to a support ticket. Feel free to write in to us! If you would prefer here, would love to see a screenshot of the resource set up. An image of the error and some information around when you receive it would be great as well. Thanks!
Thanks for your quick answer, @joeBumbaca ! I think that would be a good compromise between a fully manual and fully automated solution. If you know of any way to suggest this feature to the Retool team, please feel free to point me to the right direction! 
As GCP is putting so much emphasis on their IAP systems and security, this might be a good add on to Retool.
I have a solution to the problems outlined above. The magic lies within the scopes granted.
- Authentication: OAuth2.0
- authorization url: Sign in - Google Accounts
- access token url: https://www.googleapis.com/oauth2/v4/token
- client id and client secret following this guide: Creating a Google OAuth 2.0 client
- audience: set this to the client id from above
- access token lifespan: 3600
- Scopes required:
https://www.googleapis.com/auth/userinfo.email openid
For the authorization header be sure to useBearer OAUTH2_ID_TOKEN
Noting: This works specifically for IAP (identity aware proxy) protected services
2 Likes
I lost an afternoon trying to understand how it works. I didn't found how it works.
@joeBumbaca Thanks for putting together the GServiceAccount dashboard to try out although I think it may now be broken? I've tried testing it out and replaced all of the inputs and I just get the error "SignJWT failed (0.014s):init failed:malformed plain PKCS8 private key(code:001)"
I'm grabbing the private key from Firebase in the format it comes in but no luck so far.
1 Like
Any updates on this?
I've tried @joeBumbaca solution but I get the same error @rlindsey2 told about, "SignJWT failed (0.014s):init failed:malformed plain PKCS8 private key(code:001)"
Is there a best practices workflow for using retool OAuth resource with Google Cloud functions that require authentication? I have followed the steps in the docs and here to create an Oauth client and obtain access/id tokens but the tokens I get back do not have the authorization to call cloud functions. I am positive my account has the correct IAM permissions to invoke them. I have been banging my head against the wall trying to figure out what step I am missing, any help would be appreciated!
Hey everyone, I do see that this library for signing the JWT no longer works in this app unfortunately I don't have any fixes for that. We do have an internal ticket tracking this issue and are looking into what it would take to allow this natively. We will update here when there is any additional information. Thanks 
1 Like
Hey everyone, i was working in a project that needed this feature, so i updated @joeBumbaca solution. So here i leave a json with a template to use authorization in protected google cloud functions. Remember to add the target_audience in the serviceAccountKey variable object
GServiceAccountAuth.json (23.4 KB)
1 Like