Adding AuthorizationHeader to the HttpRequest type does not append an Authorization header about go-genproto HOT 5 CLOSED

Turns out this was our fault. The Audience value was not being passed in correctly - we were actually getting an empty string. Now that it's being set to the correct client ID value, the AuthorizationHeader does work to authenticate the task. Thanks for the help @codyoss!

from go-genproto.

Hmmm that looks very similar to what I did. My value for Audience in your case would have been "www.urlgoeshere.com". I posted to a URL(HTTP Cloud Function) and verified I had an Authorization header in the incoming request. I am not an expert on this API though. I would suggest reaching out to the Cloud Task Support for issues related specifically to this API.

from go-genproto.

I was able to use that sample and it worked for me. There are a couple things through. Make sure you have the correct IAM perms set up as described in the docs for the AuthorizationHeader type you are using. I used an OidcToken and I also provided the audience field to match the url. Hope that helps.

from go-genproto.

@codyoss - thanks for your response. I may not have been specific enough about the code I'm using. I'm attaching a simplified version of the code below - also see the Go Playground link ( https://go.dev/play/p/Ec38d2CAcBa ):

package main

import (
	"context"
	"time"

	cloudtasks "cloud.google.com/go/cloudtasks/apiv2"
	taskspb "google.golang.org/genproto/googleapis/cloud/tasks/v2"
	"google.golang.org/protobuf/types/known/timestamppb"
)

func main() {
	// simplified version of code:
	ctx := context.Background()
	taskRequest := taskspb.CreateTaskRequest{
		Parent: "queue-name-goes-here",
		Task: &taskspb.Task{
			ScheduleTime: timestamppb.New(time.Now()), // optional time
			MessageType: &taskspb.Task_HttpRequest{
				HttpRequest: &taskspb.HttpRequest{
					HttpMethod: taskspb.HttpMethod_POST,
					Url:        "www.urlgoeshere.com",
					AuthorizationHeader: &taskspb.HttpRequest_OidcToken{
						OidcToken: &taskspb.OidcToken{
							ServiceAccountEmail: "[email protected]",
							Audience:            "project_number-number_generated_by_iap.apps.googleusercontent.com",
						},
					},
				},
			},
		},
	}
	client, _ := cloudtasks.NewClient(ctx)
	task, err := client.CreateTask(ctx, &taskRequest)
	// etc.
}

The IAM permissions for the service account we're using include everything listed here: https://cloud.google.com/tasks/docs/creating-http-target-tasks#sa
That is, two of its roles are Cloud Tasks Enqueuer and Service Account User.
The Audience value we're using is an OAuth 2.0 client ID listed on this page - https://console.cloud.google.com/apis/credentials for our project.
We also tried using the task url (from the Url field) as the audience but this didn't make a difference. The auth header did not get attached in either case. Any idea why?

from go-genproto.

@michal-wknd Glad to hear it, np!

from go-genproto.