Make authenticated requests from a workflow

To make authenticated HTTP requests, your workflow must be associated with a service account (identified by its email address) that has the appropriate credentials. For more information about attaching an Identity and Access Management (IAM) service account to a workflow, and granting it the permissions required to access resources, see Grant a workflow permission to access Google Cloud resources.

Authentication tokens

By default, HTTP requests don't contain identity or access tokens for security reasons. You must explicitly add authentication information to your workflow definition.

To authenticate between Workflows and an HTTP target that requires such authentication, Workflows uses a token in the authorization header based on the credentials of the service account attached to the workflow, and sends the token using HTTPS to the target service. When connecting with Cloud Functions or Cloud Run, use an ID token (OIDC). For APIs hosted on googleapis.com, use an access token (OAuth 2.0).

To make an authenticated request from within a workflow, do one of the following depending on the service you are calling:

External APIs—Use an Authorization request header to authenticate with a third-party API. In this document, see Make authenticated requests to external APIs.
Google Cloud APIs—If available, use a Workflows connector, which automatically provides the required authentication using the workflow's service account. If you can't use a connector, use an HTTP request with OAuth 2.0 to connect with other Google Cloud APIs. Any API that ends with a hostname of .googleapis.com accepts this authentication method. In this document, see Make authenticated requests to Google Cloud APIs.
Cloud Functions or Cloud Run—Use OIDC to connect with Cloud Run or Cloud Functions. In this document, see Make requests to Cloud Run or Cloud Functions.
Private on‑premises, Compute Engine, Google Kubernetes Engine (GKE), or other Google Cloud endpoints—Use Identity-Aware Proxy (IAP) with OIDC to enforce access control policies for your endpoints. For more information, see Invoke private on‑prem, Compute Engine, GKE, or other endpoint and learn how to authenticate to an IAP-secured resource from a user or service account.

Make authenticated requests to external APIs

If you're integrating a third-party API, include an Authorization request header with the credentials necessary to carry out the authentication. For example, include an ID token in an Authorization: Bearer ID_TOKEN header in the request to the service. For more information, consult the API provider's documentation.

Make authenticated requests to Google Cloud APIs

A workflow's service account can generate OAuth 2.0 tokens that the workflow can use to authenticate to any Google Cloud API. When you use this authentication method, the workflow authenticates as its associated service account. To make an HTTP request using the OAuth 2.0 protocol, add an auth section to the args section of your workflow's definition, after you specify the URL. In this example, a request is sent to the Compute Engine API to stop a VM:

YAML

  - step_A:
      call: http.post
      args:
          url: https://compute.googleapis.com/compute/v1/projects/myproject1234/zones/us-central1-b/instances/myvm001/stop
          auth:
              type: OAuth2
              scopes: OAUTH_SCOPE

JSON

    [
      {
        "step_A": {
          "call": "http.post",
          "args": {
            "url": "https://compute.googleapis.com/compute/v1/projects/myproject1234/zones/us-central1-b/instances/myvm001/stop",
            "auth": {
              "type": "OAuth2",
              "scopes": "OAUTH_SCOPE"
            }
          }
        }
      }
    ]

The scopes key is optional, but can be used to specify OAuth 2.0 scopes for the token. Replace OAUTH_SCOPE with a string or list of strings. Space and comma-separated strings are also supported. By default, the value is set to https://www.googleapis.com/auth/cloud-platform.

Make requests to Cloud Functions or Cloud Run

When making requests to Cloud Functions or Cloud Run, use OIDC to authenticate.

To make an HTTP request using OIDC, add an auth section to the args section of your workflow's definition, after you specify the URL. In this example, a request is sent to invoke a Cloud Function:

YAML

  - step_A:
      call: http.get
      args:
          url: https://us-central1-project.cloudfunctions.net/functionA
          query:
              firstNumber: 4
              secondNumber: 6
              operation: sum
          auth:
              type: OIDC
              audience: OIDC_AUDIENCE

JSON

    [
      {
        "step_A": {
          "call": "http.get",
          "args": {
            "url": "https://us-central1-project.cloudfunctions.net/functionA",
            "query": {
              "firstNumber": 4,
              "secondNumber": 6,
              "operation": "sum"
            },
            "auth": {
              "type": "OIDC",
              "audience": "OIDC_AUDIENCE"
            }
          }
        }
      }
    ]

The audience key is optional, but can be used to specify the OIDC audience for the token. By default, OIDC_AUDIENCE is set to the same value as url.

Note that it's possible for Workflows to invoke Cloud Functions or Cloud Run services that have ingress restricted to internal traffic. With this configuration, your services are unreachable from the internet but can be reached from Workflows.

For more information, see Invoke Cloud Functions or Cloud Run.

Make authenticated requests from a workflow

Authentication tokens

Make authenticated requests to external APIs

Make authenticated requests to Google Cloud APIs

YAML

JSON

Make requests to Cloud Functions or Cloud Run

YAML

JSON

What's next