Make authenticated requests from a workflow

To make authenticated requests to Google Cloud services, your workflow must be associated with a service account that has been granted the Identity and Access Management (IAM) roles containing the permissions required to access the requested resources. For more information, see Grant a workflow permission to access Google Cloud resources.

By default, HTTP requests do not contain identity or access tokens for security reasons. Workflows connectors automatically provide the required authentication using the workflow's service account.

To make an authenticated request from within a workflow, do one of the following depending on the service you are calling:

Make authenticated requests to external APIs

If you're integrating a third-party API, include an Authorization request header with the credentials necessary to carry out the authentication. For example, include an ID token in an Authorization: Bearer ID_TOKEN header in the request to the service. For more information, consult the API provider's documentation.

Make authenticated requests to Google Cloud APIs

A workflow's service account can generate OAuth 2.0 tokens that the workflow can use to authenticate to any Google Cloud API. When you use this authentication method, the workflow authenticates as its associated service account. To make an HTTP request using the OAuth 2.0 protocol, add an auth section to the args section of your workflow's definition, after you specify the URL. In this example, a request is sent to the Compute Engine API to stop a VM:

YAML

  - step_A:
      call: http.post
      args:
          url: https://compute.googleapis.com/compute/v1/projects/myproject1234/zones/us-central1-b/instances/myvm001/stop
          auth:
              type: OAuth2
              scopes: OAUTH_SCOPE
    

JSON

    [
      {
        "step_A": {
          "call": "http.post",
          "args": {
            "url": "https://compute.googleapis.com/compute/v1/projects/myproject1234/zones/us-central1-b/instances/myvm001/stop",
            "auth": {
              "type": "OAuth2",
              "scopes": "OAUTH_SCOPE"
            }
          }
        }
      }
    ]
      
The scopes key is optional, but can be used to specify OAuth 2.0 scopes for the token. Replace OAUTH_SCOPE with a string or list of strings. Space and comma-separated strings are also supported. By default, the value is set to https://www.googleapis.com/auth/cloud-platform.

Make requests to Cloud Functions or Cloud Run

When making requests to Cloud Functions or Cloud Run, use OIDC to authenticate.

To make an HTTP request using OIDC, add an auth section to the args section of your workflow's definition, after you specify the URL. In this example, a request is sent to invoke a Cloud Function:

YAML

  - step_A:
      call: http.get
      args:
          url: https://us-central1-project.cloudfunctions.net/functionA
          query:
              firstNumber: 4
              secondNumber: 6
              operation: sum
          auth:
              type: OIDC
              audience: OIDC_AUDIENCE
    

JSON

    [
      {
        "step_A": {
          "call": "http.get",
          "args": {
            "url": "https://us-central1-project.cloudfunctions.net/functionA",
            "query": {
              "firstNumber": 4,
              "secondNumber": 6,
              "operation": "sum"
            },
            "auth": {
              "type": "OIDC",
              "audience": "OIDC_AUDIENCE"
            }
          }
        }
      }
    ]
      
The audience key is optional, but can be used to specify the OIDC audience for the token. By default, OIDC_AUDIENCE is set to the same value as url.

For more information, see Invoke Cloud Functions or Cloud Run.

What's next