2026-07-06 - Two-Step IAP to GCIP Auth for Cloud Functions Calling App Engine¶
Release¶
AgileData.io - Correct Auth Chain: Cloud Functions Now Use a Two-Step Token Flow
Cloud Functions calling IAP-protected App Engine services now use a proper two-step authentication flow: first obtaining an IAP token, then exchanging it for a GCIP token. This resolves a pattern mismatch where Cloud Functions were not authenticating correctly to reach IAP-protected endpoints in certain tenancy configurations.
The GCIP client configuration details are retrieved from Firestore at runtime, ensuring each tenancy’s correct identity configuration is used for the token exchange. This architecture allows Cloud Functions to call across service boundaries securely and correctly, regardless of which identity provider a tenancy uses.
What’s New:
Cloud Functions calling IAP-protected App Engine endpoints use a two-step IAP → GCIP token flow
GCIP client configuration retrieved dynamically from Firestore per tenancy
What this means for you:
Reliable cross-service authentication for Cloud Function-triggered workflows
Correct token types used at each step of the authentication chain, preventing silent failures
Last Refreshed¶
Doc Refreshed: 2026-07-06