AgileData.io Docs
Table Of Contents
AgileData.io Docs
Table Of Contents

2026-07-06 - Two-Step IAP to GCIP Auth for Cloud Functions Calling App Engine

Release

AgileData.io - Correct Auth Chain: Cloud Functions Now Use a Two-Step Token Flow

Cloud Functions calling IAP-protected App Engine services now use a proper two-step authentication flow: first obtaining an IAP token, then exchanging it for a GCIP token. This resolves a pattern mismatch where Cloud Functions were not authenticating correctly to reach IAP-protected endpoints in certain tenancy configurations.

The GCIP client configuration details are retrieved from Firestore at runtime, ensuring each tenancy’s correct identity configuration is used for the token exchange. This architecture allows Cloud Functions to call across service boundaries securely and correctly, regardless of which identity provider a tenancy uses.

What’s New:

  • Cloud Functions calling IAP-protected App Engine endpoints use a two-step IAP → GCIP token flow

  • GCIP client configuration retrieved dynamically from Firestore per tenancy

What this means for you:

  • Reliable cross-service authentication for Cloud Function-triggered workflows

  • Correct token types used at each step of the authentication chain, preventing silent failures

Last Refreshed

Doc Refreshed: 2026-07-06