When you have a web service behind an Identity Aware Proxy (IAP) it is pretty hard to access it via curl on the command line. In this tiny blog I will show you how you can do it. To curl to a web service behind an Identity Aware Proxy use the following command:
OAUTH_CLIENT_ID=1234567890-j9onig1ofcgle7iogv8fceu04v8hriuv.apps.googleusercontent.com AUTHORIZED_SAemail@example.com URL=https://your-iap-protected-endpoint ID_TOKEN=$( gcloud auth print-identity-token \ --audiences $OAUTH_CLIENT_ID \ --include-email \ --impersonate-service-account $AUTHORIZED_SA ) curl --header "Proxy-Authorization: Bearer $ID_TOKEN" $URL
That is all there is to it.
Through service account impersonation, you can create an id token to access an Identity Aware Proxy protected service. It would be nice, if users could directly generate the required Id token, but you cannot.