Make authenticated requests from a workflow

To make authenticated HTTP requests, your workflow must be associated with a service account (identified by its email address) that has the appropriate credentials. For more information about attaching an Identity and Access Management (IAM) service account to a workflow, and granting it the permissions required to access resources, see Grant a workflow permission to access Google Cloud resources.

Authentication tokens

By default, HTTP requests don't contain identity or access tokens for security reasons. You must explicitly add authentication information to your workflow definition.

To authenticate between Workflows and an HTTP target that requires such authentication, Workflows uses a token in the authorization header based on the credentials of the service account attached to the workflow, and sends the token using HTTPS to the target service. When connecting with Cloud Run functions or Cloud Run, use an ID token (OIDC). For APIs hosted on googleapis.com, use an access token (OAuth 2.0).

To make an authenticated request from within a workflow, do one of the following depending on the service you are calling:

Make authenticated requests to external APIs

If you're integrating a third-party API, include an Authorization request header with the credentials necessary to carry out the authentication. For example, include an ID token in an Authorization: Bearer ID_TOKEN header in the request to the service. For more information, consult the API provider's documentation.

Make authenticated requests to Google Cloud APIs

A workflow's service account can generate OAuth 2.0 tokens that the workflow can use to authenticate to any Google Cloud API. When you use this authentication method, the workflow authenticates as its associated service account. To make an HTTP request using the OAuth 2.0 protocol, add an auth section to the args section of your workflow's definition, after you specify the URL. In this example, a request is sent to the Compute Engine API to stop a VM:

YAML

  - step_A:
      call: http.post
      args:
          url: https://compute.googleapis.com/compute/v1/projects/myproject1234/zones/us-central1-b/instances/myvm001/stop
          auth:
              type: OAuth2
              scopes: OAUTH_SCOPE
    

JSON

    [
      {
        "step_A": {
          "call": "http.post",
          "args": {
            "url": "https://compute.googleapis.com/compute/v1/projects/myproject1234/zones/us-central1-b/instances/myvm001/stop",
            "auth": {
              "type": "OAuth2",
              "scopes": "OAUTH_SCOPE"
            }
          }
        }
      }
    ]
      
The scopes key is optional, but can be used to specify OAuth 2.0 scopes for the token. Replace OAUTH_SCOPE with a string or list of strings. Space and comma-separated strings are also supported. By default, the value is set to https://www.googleapis.com/auth/cloud-platform.

Make requests to Cloud Run functions or Cloud Run

When making requests to Cloud Run functions or Cloud Run, use OIDC to authenticate.

To make an HTTP request using OIDC, add an auth section to the args section of your workflow's definition, after you specify the URL. In this example, a request is sent to invoke a Cloud Run function:

YAML

  - step_A:
      call: http.get
      args:
          url: https://us-central1-project.cloudfunctions.net/functionA
          query:
              firstNumber: 4
              secondNumber: 6
              operation: sum
          auth:
              type: OIDC
              audience: OIDC_AUDIENCE
    

JSON

    [
      {
        "step_A": {
          "call": "http.get",
          "args": {
            "url": "https://us-central1-project.cloudfunctions.net/functionA",
            "query": {
              "firstNumber": 4,
              "secondNumber": 6,
              "operation": "sum"
            },
            "auth": {
              "type": "OIDC",
              "audience": "OIDC_AUDIENCE"
            }
          }
        }
      }
    ]
      
The audience key is optional, but can be used to specify the OIDC audience for the token. By default, OIDC_AUDIENCE is set to the same value as url.

Note that it's possible for Workflows to invoke Cloud Run functions or Cloud Run services that have ingress restricted to internal traffic. With this configuration, your services are unreachable from the internet but can be reached from Workflows.

For more information, see Invoke Cloud Run functions or Cloud Run.

What's next