Google APIs use OAuth 2.0 for authentication and authorization. To call an API, you first have to obtain an access token for the right scope and then pass it to the respective API by using the Authorization HTTP header.
But the trouble with access tokens is that they are short-lived, and you somehow have to deal with expiring tokens…
Once you’ve signed in on google.com, the
Cloud Console, or any other Google site,
your browser session remains valid for multiple days. Not being prompted to sign
in over and over again is convenient and at least in typical consumer scenarios,
the risk that comes along with keeping the session is limited.
Things can look different in a corporate scenario where users might have access
to sensitive data. Keeping sessions alive for 14 days (which is the default)
might seem a little risky and might not be in line with an enterprise’s idea
of security. G Suite Business and Cloud Identity Premium therefore allow you to
change the default session length
to a different period such as 8 hours. This setting applies to all Google services, not only GCP.
In the last post, we discussed that each request that Cloud IAP passes to a backend appliation contains a X-Goog-Iap-Jwt-Assertion header. This header contains an IAP JWT assertion that looks a bit like an IdToken, but is not an IdToken.
At Google Cloud, we run a series of Cloud Summits each year. A Cloud Summit is essentially
a mini-version of Cloud NEXT – it lasts one day, features multiple tracks of technical sessions,
and is usually held in a location where there is plenty of space for booths where customers
can ask questions.
One question that we frequently get at the Ask an Architect or Ask the Expert booth
is about Cloud Identity-Aware Proxy - what is it for, how does it work, and how to use it?
In this series of blog posts, I am going to address these questions, one at a time:
Part 1: What is it for? – The role of Cloud IAP in zero-trust (this post)
A bit over 12 years ago I started this blog to write about Windows development. Back then,
I spent the majority of both my free time and time at work developing Win32 and COM-based software
and I was just starting to tip my toes into Kernel-mode development.
Things got quiet after 2010 when I changed careers and begun working as a consultant.
My focus shifted from Windows development to architecting scalable systems and later led
me to entirely different topics such as leading development teams and optimizing the software development lifecycle.
Although I never stopped doing Windows development, it got less over time – and I had less to write about
on this blog.
Now it is about time to get more active again on this blog. And as a first step,
I moved this blog to a new home.
Powershell advanced functions are a lightweight, yet pretty powerful way to extend the set of commands available in a Powershell sessions. Advanced functions look and feel almost exactly like proper cmdlets, but they are written in Powershell and therefore quick to develop.
By default, advanced functions are ephemeral though: If you run a script containing an advanced function, that function is going to be available for the rest of the Powershell session – after that, it is gone. To make an advanced function available permanently – like a cmdlet – you have to wrap it in a Powershell module, and install that module.