IAP Client Libraries

This page shows how to get started with the Google APIs Client Libraries for the Cloud IAP API. Read more about the client libraries for Cloud APIs in Client Libraries Explained.

Installing the client library


For more information, see Using PHP on Google Cloud.

composer require google/apiclient

Setting up authentication

To run the client library, you must first set up authentication by creating a service account and setting an environment variable. Complete the following steps to set up authentication. For other ways to authenticate, see the GCP authentication documentation.

Cloud Console

Create a service account:

  1. In the Cloud Console, go to the Create service account page.

    Go to Create service account
  2. Select a project.
  3. In the Service account name field, enter a name. The Cloud Console fills in the Service account ID field based on this name.

    In the Service account description field, enter a description. For example, Service account for quickstart.

  4. Click Create and continue.
  5. Click the Select a role field.

    Under Quick access, click Basic, then click Owner.

  6. Click Continue.
  7. Click Done to finish creating the service account.

    Do not close your browser window. You will use it in the next step.

Create a service account key:

  1. In the Cloud Console, click the email address for the service account that you created.
  2. Click Keys.
  3. Click Add key, then click Create new key.
  4. Click Create. A JSON key file is downloaded to your computer.
  5. Click Close.

Command line

You can run the following commands using the Cloud SDK on your local machine, or in Cloud Shell.

  1. Create the service account. Replace NAME with a name for the service account.

    gcloud iam service-accounts create NAME
  2. Grant permissions to the service account. Replace PROJECT_ID with your project ID.

    gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:NAME@PROJECT_ID.iam.gserviceaccount.com" --role="roles/owner"
  3. Generate the key file. Replace FILE_NAME with a name for the key file.

    gcloud iam service-accounts keys create FILE_NAME.json --iam-account=NAME@PROJECT_ID.iam.gserviceaccount.com

Provide authentication credentials to your application code by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS. This variable applies only to your current shell session. If you want the variable to apply to future shell sessions, set the variable in your shell startup file, for example in the ~/.bashrc or ~/.profile file.

Linux or macOS


Replace KEY_PATH with the path of the JSON file that contains your service account key.

For example:

export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json"


For PowerShell:


Replace KEY_PATH with the path of the JSON file that contains your service account key.

For example:


For command prompt:


Replace KEY_PATH with the path of the JSON file that contains your service account key.

Using the client library

The following example shows how to use the client library.


 * Copyright 2017 Google Inc.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *     http://www.apache.org/licenses/LICENSE-2.0
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * See the License for the specific language governing permissions and
 * limitations under the License.

namespace Google\Cloud\Samples\Iap;

use Symfony\Component\Console\Application;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Input\InputArgument;

# Includes the autoloader for libraries installed with composer
require __DIR__ . '/vendor/autoload.php';

$application = new Application('Iap');

// Create request Command.
$application->add((new Command('request'))
    ->addArgument('url', InputArgument::REQUIRED, 'The Identity-Aware Proxy-protected URL to fetch.')
    ->addArgument('clientId', InputArgument::REQUIRED, 'The client ID used by Identity-Aware Proxy.')
    ->addArgument('serviceAccountPath', InputArgument::REQUIRED, 'Path for the service account you want to use.')
    ->setDescription('Make a request to an IAP-protected resource using a service account.')
The <info>%command.name%</info> command makes a request to an IAP-protected resource.
    <info>php %command.full_name%</info>

    ->setCode(function ($input, $output) {
        $response = make_iap_request(
        $response_body = (string)$response->getBody();
        print('Printing out response body:');

// Create a validate Command.
$application->add((new Command('validate'))
    ->addArgument('jwt', InputArgument::REQUIRED, 'A JWT from the X-Goog-Iap-Jwt-Assertion header')
    ->addArgument('projectNumber', InputArgument::REQUIRED, 'The project *number* for your Google Cloud project. This is returned by gcloud projects describe $PROJECT_ID or in the Project Info card in Cloud Console.')
    ->addArgument('projectId', InputArgument::REQUIRED, 'The project ID for your Google Cloud Platform project.')
    ->setDescription('Validates the JWT in the X-Goog-Iap-Jwt-Assertion header of an IAP-protected resource.')
The <info>%command.name%</info> command makes a request to an IAP-protected resource and then validates the JWT.
    <info>php %command.full_name%</info>

    ->setCode(function ($input, $output) {
        $user_identity = validate_jwt_from_app_engine(
        print('Printing user identity information from ID token payload:');
        printf('sub: %s', $user_identity['sub']);
        printf('email: %s', $user_identity['email']);

if (getenv('PHPUNIT_TESTS') === '1') {
    return $application;


Additional resources