.. _2026-07-06-two-step-cloud-function-auth_release: ================================================================================= 2026-07-06 - Two-Step IAP to GCIP Auth for Cloud Functions Calling App Engine ================================================================================= Release ================== AgileData.io - Correct Auth Chain: Cloud Functions Now Use a Two-Step Token Flow Cloud Functions calling IAP-protected App Engine services now use a proper two-step authentication flow: first obtaining an IAP token, then exchanging it for a GCIP token. This resolves a pattern mismatch where Cloud Functions were not authenticating correctly to reach IAP-protected endpoints in certain tenancy configurations. The GCIP client configuration details are retrieved from Firestore at runtime, ensuring each tenancy's correct identity configuration is used for the token exchange. This architecture allows Cloud Functions to call across service boundaries securely and correctly, regardless of which identity provider a tenancy uses. **What's New:** * Cloud Functions calling IAP-protected App Engine endpoints use a two-step IAP → GCIP token flow * GCIP client configuration retrieved dynamically from Firestore per tenancy **What this means for you:** * Reliable cross-service authentication for Cloud Function-triggered workflows * Correct token types used at each step of the authentication chain, preventing silent failures Last Refreshed =========================== *Doc Refreshed: 2026-07-06*