For the APIs hosted in GCP I'm planning to authenticate consuming services (from outside gcp environment) with the help of service accounts with private keys and API gateway.
It all works fine for one service account (service-account-1
), i.e.:
paths:
/hello:
get:
#...
security:
- service_account-1: []
securityDefinitions:
service_account-1:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "{service-account-1}@{project-id}.iam.gserviceaccount.com"
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/{service-account-1}@{project-id}.iam.gserviceaccount.com"
x-google-audiences: "{project-id}"
However how could I describe it so any service account from the project would have access?
EDIT: I would like to avoid updating openapi config on API gateway each time a new service account is created and needs an access allowed.
UPDATE: I ended up using Identity-Aware Proxy for securing the API to only allow the authorised service accounts.
According to the official documentation:
Authentication between services
Therefore you have to create multiple security definition.