imkira
gcp-iap-auth
Go

A simple server implementation and package in Go for helping you secure your web apps running on GCP behind a Cloud IAP (Identity-Aware Proxy)

Last updated Jan 25, 2026
89
Stars
34
Forks
6
Issues
0
Stars/day
Attention Score
17
Language breakdown
No language data available.
Files click to expand
README

gcp-iap-auth

License Build Status

gcp-iap-auth is a simple server implementation and package in Go for helping you secure your web apps running on GCP behind a Google Cloud Platform's IAP (Identity-Aware Proxy) by validating IAP signed headers in the requests.

Why

Validating signed headers helps you protect your app from the following kinds of risks:

  • IAP is accidentally disabled;
  • Misconfigured firewalls;
  • Access from within the project.

How to use it as a package

go get -u github.com/imkira/gcp-iap-auth/jwt

The following is just an excerpt of the provided simple.go example:

// Here we validate the tokens in all requests going to
// our server at http://127.0.0.1:12345/auth
// For valid tokens we return 200, otherwise 401.
func AuthHandler(w http.ResponseWriter, req *http.Request) {
	if err := jwt.ValidateRequestClaims(req, cfg); err != nil {
		w.WriteHeader(http.StatusUnauthorized)
	} else {
		w.WriteHeader(http.StatusOK)
	}
}

For advanced usage, make sure to check the available documentation here.

How to use it as a server

Binary Releases are provided for convenience.

After downloading it, you can execute it like:

gcp-iap-auth --audiences=YOUR_AUDIENCE
Construction of the YOURAUDIENCE string is covered here

HTTPS is also supported. Just make sure you give it the cert/key files:

gcp-iap-auth --audiences=YOURAUDIENCE --tls-cert=PATHTOCERTFILE --tls-key=PATHTOKEY_FILE

It is also possible to use environment variables instead of flags. Just prepend GCPIAPAUTH to the flag name (in CAPS and with - replaced by ) and you're good to go (eg: GCPIAPAUTH_AUDIENCES replaces --audiences)

For help, just check usage:

gcp-iap-auth --help

How to use it as a reverse proxy

In this mode the gcp-iap-auth server runs as a proxy in front of another web app. The JWT header will be checked and requests with a valid header will be passed to the backend, while all other requests will return HTTP error 401.

gcp-iap-auth --audiences=YOUR_AUDIENCE --backend=http://localhost:8080

In proxy mode you may optionally specify a header that will be filled with the validated email address from the JWT token. The value will only contain the email address, eg: name@dom.tld, unlike the x-goog-authenticated-user-email header this does not contain a namespace prefix, making this approach suitable for backend apps which only want an email address.

gcp-iap-auth --audiences=YOUR_AUDIENCE --backend=http://localhost:8080 --email-header=X-WEBAUTH-USER

Integration with NGINX

You can also integrate gcp-iap-auth server with NGINX using the httpauthrequestmodule.

The important part is as follows (full nginx.conf example file here):

upstream AUTHSERVERUPSTREAM {
      server AUTHSERVERADDR:AUTHSERVERPORT;
    }

upstream APPSERVERUPSTREAM { server APPSERVERADDR:APPSERVERPORT; }

server { servername APPDOMAIN;

location = /gcp-iap-auth { internal; proxypass http://AUTHSERVER_UPSTREAM/auth; proxypassrequest_body off; proxypassrequest_headers off; proxysetheader X-Goog-IAP-JWT-Assertion $httpxgoogiapjwt_assertion; }

location / { auth_request /gcp-iap-auth; proxypass http://APPSERVER_UPSTREAM; } }

Please note:

  • Replace AUTHSERVERUPSTREAM, AUTHSERVERADDR, and AUTHSERVERPORT with the data about your gcp-iap-auth server.
  • Replace APPSERVERUPSTREAM, APPSERVERADDR, and APPSERVERPORT with the data about your own web app server.
  • Replace APP_DOMAIN with the domain(s) you set up in your GCP IAP settings.
  • gcp-iap-auth only needs to receive the original X-Goog-IAP-JWT-Assertion header sent by Google, so you can and you are advised to disable proxying the original request body and other headers. Not only it is unecessary you may leak information you may not want to.
  • Please adjust appropriately (you may want to use HTTPS instead of HTTP, multiple domains, etc.). This example is just provided for reference.

Using it with Docker

Docker images are provided for convenience.

docker run --rm -e GCPIAPAUTHAUDIENCES=YOURAUDIENCE imkira/gcp-iap-auth

For advanced usage, please read the instructions inside.

Using it with Kubernetes

As a reverse proxy

A simple way to use it with kubernetes and without any other dependencies is to run it as a reverse proxy that validates and forwards requests to a backend server.

- name: gcp-iap-auth
        image: imkira/gcp-iap-auth:0.0.5
        env:
        - name: GCPIAPAUTH_AUDIENCES
          value: "YOUR_AUDIENCE"
        - name: GCPIAPAUTHLISTENPORT
          value: "1080"
        - name: GCPIAPAUTH_BACKEND
          value: "http://YOURBACKENDSERVER"
        ports:
        - name: proxy
          containerPort: 1080
        readinessProbe:
          httpGet:
            path: /healthz
            scheme: HTTP
            port: proxy
          periodSeconds: 1
          timeoutSeconds: 1
          successThreshold: 1
          failureThreshold: 10
        livenessProbe:
          httpGet:
            path: /healthz
            scheme: HTTP
            port: proxy
          timeoutSeconds: 5
          initialDelaySeconds: 10

With NGINX

You can use it with kubernetes in different ways, but I personally recommend running it as a sidecar container by adding it to, say, an existing NGINX container:

- name: nginx
      # your nginx container should go here...
      - name: gcp-iap-auth
        image: imkira/gcp-iap-auth:0.0.5
        env:
        - name: GCPIAPAUTH_AUDIENCES
          value: "YOUR_AUDIENCE"
        - name: GCPIAPAUTHLISTENPORT
          value: "1080"
        ports:
        - name: auth
          containerPort: 1080
        readinessProbe:
          httpGet:
            path: /healthz
            scheme: HTTP
            port: auth
          periodSeconds: 1
          timeoutSeconds: 1
          successThreshold: 1
          failureThreshold: 10
        livenessProbe:
          httpGet:
            path: /healthz
            scheme: HTTP
            port: auth
          timeoutSeconds: 5
          initialDelaySeconds: 10

Notes

To use HTTPS just make sure:

  • You set up GCPIAPAUTHTLSCERT=/path/to/tlscertfile and GCPIAPAUTHTLSKEY=/path/to/tlskeyfile environment variables.
  • You set up volumes for secrets in kubernetes so it knows where to find them.
  • Change the scheme in readiness and liveness probes to HTTPS.
  • Adjust your nginx.conf as necessary to proxy pass the auth requests to gcp-iap-auth as HTTPS.

License

gcp-iap-auth is licensed under the MIT license:

www.opensource.org/licenses/MIT

Copyright

Copyright (c) 2017 Mario Freitas. See LICENSE for further details.

🔗 More in this category

© 2026 GitRepoTrend · imkira/gcp-iap-auth · Updated daily from GitHub