How to connect to an IAP protected service with PHP via Service Account? I already fail to get the Authentication Bearer, so I guess I'm completely on the wrong track:
<?php
require_once 'vendor/autoload.php';
$scopes = ['https://www.googleapis.com/auth/iam'];
$client = new Google_Client;
$client->useApplicationDefaultCredentials();
$client->setScopes($scopes);
$client->setSubject('[email protected]');
$client->setOpenidRealm('https://example.com');
$access_token = $client->getAccessToken();
var_dump($access_token);
Any pointer to where and how to start would be highly appreciated.
Have you seen https://cloud.google.com/iap/docs/authentication-howto ? Unfortunately we don't have sample code for PHP yet, but that explains the basic concepts. The "Robot Parade" section of https://cloudplatform.googleblog.com/2017/04/Getting-started-with-Cloud-Identity-Aware-Proxy.html may be helpful as well.
Unfortunately, IAP doesn't support access tokens for authentication, so you're going to need to get a service-account-signed JWT, and it needs to have a special "target_audience" claim. Is $client->config['signing_key'] set? If so, you have access to the service account's private key, and can... take a look at https://github.com/google/google-auth-library-php/blob/master/src/OAuth2.php#L417 and if you can get the credentials object you can do something like that, add the target_audience claim.
If you don't have access to the private key, which I think is only the case if you're running on GCE and using a service account from the metadata server, you'll have to use the IAM signBlob API: https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signBlob . This requires some tricky setup on the GCE instance, https://cloud.google.com/iap/docs/authentication-howto documents it.
Sorry, I know this is all more complicated than it should be! I'm not a PHP expert, but I hope this at least helps. -- Matthew, Identity-Aware Proxy engineer