他の Google Cloud サービス対してリクエストを行う場合は、ワークフローに、リクエストされたリソースへのアクセスに必要な権限を持つ 1 つ以上の Identity and Access Management(IAM)ロールが付与されているサービス アカウントに関連付けられている必要があります。既存のワークフローに関連付けられているサービス アカウントについては、ワークフローに関連付けられたサービス アカウントの確認をご覧ください。
サービス アカウントを設定するときに、リクエスト対象の ID とアクセス権を付与するリソースを関連付けます。リクエスト元 ID は、そのリソースのプリンシパルとし、適切なロールを指定します。このロールでは、リソースのコンテキストで ID が持つ権限を定義します。IAP により保護されているアプリケーションまたはリソースには、適正なロールを持つプリンシパルのみがプロキシを介してアクセスできます。
たとえば、認証後、IAP は関連する許可ポリシーを適用して、プリンシパルがリクエストされたリソースにアクセスする権限を持っているかどうかをチェックします。プリンシパルは、リソースが存在する Google Cloud コンソールプロジェクトの IAP で保護されたウェブアプリ ユーザーのロール(roles/iap.httpsResourceAccessor)がある場合、アプリケーションにアクセスする権限があります。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[],[],null,["# Invoke a private on‑prem, Compute Engine, GKE, or other endpoint by enabling IAP\n\nYou can invoke a private on‑premises, Compute Engine,\nGoogle Kubernetes Engine (GKE), or other Google Cloud endpoint from\nWorkflows by enabling Identity-Aware Proxy (IAP) for the endpoint.\nIAP is used to enforce access control policies, and it lets you\nestablish a central authorization layer for applications accessed by HTTPS, so\nthat you can use an application-level access control model instead of relying on\nnetwork-level firewalls.\n\nFor more information, see the\n[IAP overview](/iap/docs/concepts-overview) and the following\nguides:\n\n- [Enable IAP for App Engine](/iap/docs/authenticate-users-google-accounts)\n- [Enable IAP for Cloud Run](/iap/docs/enabling-cloud-run)\n- [Enable IAP for Compute Engine](/iap/docs/enabling-compute-howto)\n- [Enable IAP for GKE](/iap/docs/enabling-kubernetes-howto)\n- [Enable IAP for on‑premises apps](/iap/docs/enabling-on-prem-howto)\n\nAlternatively, you can target a private endpoint for HTTP calls from your\nworkflow execution by using Service Directory's service registry with\nWorkflows. For more information, see\n[Invoke a private endpoint using Service Directory's service registry](/workflows/docs/invoke-private-endpoint-vpc).\n\nMake an HTTP request\n--------------------\n\nCalling or invoking a private endpoint from Workflows is done\nthrough an HTTP request. The most common HTTP request methods have a call\nshortcut (such as [http.get](/workflows/docs/reference/stdlib/http/get)\nand [http.post](/workflows/docs/reference/stdlib/http/post)), but you can make\nany type of HTTP request by setting the `call` field to `http.request` and\nspecifying the type of request using the `method` field. For\nmore information, see [Make an HTTP request](/workflows/docs/http-requests).\n\nUse a service account with the required permissions\n---------------------------------------------------\n\nWhen making requests to other Google Cloud services, your workflow must\nbe associated with a service account that has been granted one or more\nIdentity and Access Management (IAM) roles containing the required permissions to access\nthe requested resources. To learn what service account is associated with an\nexisting workflow, see\n[Verify a workflow's associated service account](/workflows/docs/authentication#verify-service-account).\n\nWhen setting up a service account, you associate the requesting identity with\nthe resource you want to give it access to---you make the requesting identity a\n*principal*, or user, of the resource---and then assign it the appropriate role.\nThe role defines what permissions the identity has in the context of the\nresource. When an application or resource is protected by IAP,\nit can only be accessed through the proxy by principals who have the correct\nrole.\n\nFor example, after authentication, IAP applies the relevant\nallow policy to check if the principal is authorized to access the requested\nresource. If the principal has the **IAP-secured Web App User** role\n(`roles/iap.httpsResourceAccessor`) on the Google Cloud console project\nwhere the resource exists, they're authorized to access the application.\n\nYou can configure access to your IAP-secured resource through\nthe [IAP page](https://console.cloud.google.com/security/iap) by adding the\nWorkflows service account as a principal. For more information,\nsee [Managing access to IAP-secured resources](/iap/docs/managing-access).\n\nAdd authentication information to your workflow\n-----------------------------------------------\n\n| **Note:** This authentication method is restricted to HTTPS endpoints.\n\nBy default, HTTP requests don't contain identity or access tokens for security\nreasons. You must explicitly add authentication information to your workflow\ndefinition. When making requests to a private endpoint, use OIDC to authenticate\nthrough IAP.\n\nTo make an HTTP request using OIDC, add an `auth` section to the `args` section\nof your workflow's definition, after you specify the URL.\n\n\u003cbr /\u003e\n\n### YAML\n\n```yaml\n - step_A:\n call: http.get\n args:\n url: https://www.example.com/endpoint\n body:\n someValue: \"Hello World\"\n anotherValue: 123\n auth:\n type: OIDC\n audience: OIDC_AUDIENCE\n \n```\n\n### JSON\n\n```json\n [\n {\n \"step_A\": {\n \"call\": \"http.get\",\n \"args\": {\n \"url\": \"https://www.example.com/endpoint\",\n \"body\": {\n \"someValue\": \"Hello World\",\n \"anotherValue\": 123\n },\n \"auth\": {\n \"type\": \"OIDC\",\n \"audience\": \"\u003cvar translate=\"no\"\u003eOIDC_AUDIENCE\u003c/var\u003e\"\n }\n }\n }\n }\n ]\n \n```\n\n\u003cbr /\u003e\n\nYou can use the `audience` parameter to specify the OIDC audience for the token.\nWhen invoking an IAP-enabled endpoint, you must specify the\nOAuth 2.0 client ID that you have configured for your application. This can be\nobtained from the [Credentials page](https://console.cloud.google.com/apis/credentials).\n\nWhat's next\n-----------\n\n- [Grant a workflow permission to access Google Cloud resources](/workflows/docs/authentication)\n- [Access HTTP response data saved in a variable](/workflows/docs/http-requests#access-data)"]]