GCP authentication

This extension may be referenced by the qualified name envoy.filters.http.gcp_authn


This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.


This extension extends and can be used with the following extension category:

GCP authentication configuration overview.


[extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig proto]

Filter configuration.

  "http_uri": "{...}",
  "retry_policy": "{...}"

(config.core.v3.HttpUri, REQUIRED) The HTTP URI to fetch tokens from GCE Metadata Server(https://cloud.google.com/compute/docs/metadata/overview). The URL format is “http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]”


(config.core.v3.RetryPolicy) Retry policy for fetching tokens. This field is optional. If it is not configured, the filter will be fail-closed (i.e., reject the requests).


[extensions.filters.http.gcp_authn.v3.Audience proto]

  "audience_map": "{...}"

(repeated map<string, string>) The map of audience key to audience value. The key is defined as the contract with control plane in the configuration. It is fixed string “audience_key”. The value is URL of the receiving service that performs token authentication.