<@ULVA73B9P> I'm running prefect self-hosted serve...
# ask-marvinu
최영범
07/19/2025, 7:57 PM@Marvin I'm running prefect self-hosted server on GCP Cloud Run service with Identity-Aware Proxy enabled. And, I want to deploy flow on GitHub Action. Authentication is done in GitHub Action, but prefect cli seem not to use the authentications. What should I Do?
m
Marvin
07/19/2025, 7:57 PM✅ thought for 64.8 seconds
Marvin
07/19/2025, 7:58 PMBased on the research and my understanding of GCP IAP authentication, here's what you need to do to make Prefect CLI work with IAP authentication in GitHub Actions:
1. First, you'll need to set up authentication for IAP in your GitHub Actions workflow. This typically involves:
- Creating a service account with appropriate permissions
- Creating and downloading a service account key
- Setting up the key as a GitHub secret
2. Then, you'll need to modify your GitHub Actions workflow to handle IAP authentication. Here's a suggested approach:
Copy code
yaml
name: Deploy Prefect Flow
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# Set up Python
- uses: actions/setup-python@v4
with:
python-version: '3.10'
# Authenticate to Google Cloud
- id: 'auth'
uses: 'google-github-actions/auth@v1'
with:
credentials_json: '${{ secrets.GCP_SA_KEY }}'
# Get IAP authentication token
- name: Get IAP token
run: |
# Install necessary tools
pip install google-auth requests
# Generate IAP token and store it
python -c '
from google.oauth2 import service_account
from google.auth.transport.requests import Request
import os
credentials = service_account.Credentials.from_service_account_info(
${{ secrets.GCP_SA_KEY }},
["<https://www.googleapis.com/auth/cloud-platform>"]
)
# Force token refresh
request = Request()
credentials.refresh(request)
# Set the token as an environment variable
with open(os.environ["GITHUB_ENV"], "a") as f:
f.write(f"IAP_TOKEN={credentials.token}\n")
'
# Set up Prefect
- name: Setup Prefect
run: |
pip install prefect
# Set your Prefect API URL
prefect config set PREFECT_API_URL=${{ secrets.PREFECT_API_URL }}
# Deploy your flow
- name: Deploy Flow
env:
# Make the token available to the Prefect CLI
PREFECT_API_HEADERS: '{"Authorization": "Bearer ${{ env.IAP_TOKEN }}"}'
run: |
prefect deploy ... # Your deployment command herePREFECT_API_HEADERSroles/iap.httpsResourceAccessoru
최영범
07/19/2025, 8:00 PM@Marvin is the
PREFECT_API_HEADERSm
Marvin
07/19/2025, 8:00 PM✅ thought for 47.5 seconds
Marvin
07/19/2025, 8:01 PMI apologize for my previous response where I suggested using
PREFECT_API_HEADERS Copy code
python
# Set these environment variables
PREFECT_API_URL="your-server-url"
HTTPS_PROXY="your-proxy-that-handles-IAP-auth" Copy code
python
from prefect.settings import PREFECT_API_URL
from prefect.client.schemas.actions import ClientAPI
from prefect.client.utilities import get_client
from httpx import Client
# Create a custom client with IAP authentication
def get_iap_client():
credentials = service_account.Credentials.from_service_account_info(
# your service account info here
scopes=["<https://www.googleapis.com/auth/cloud-platform>"]
)
request = Request()
credentials.refresh(request)
headers = {
"Authorization": f"Bearer {credentials.token}"
}
client = Client(
base_url=PREFECT_API_URL.value(),
headers=headers
)
return client
# Use the custom client with Prefect
api_client = ClientAPI(client=get_iap_client())u
최영범
07/19/2025, 8:05 PM@Marvin what about
PREFECT_CLIENT_CUSTOM_HEADERSm
Marvin
07/19/2025, 8:05 PM✅ thought for 48.4 seconds
Marvin
07/19/2025, 8:06 PMYou're absolutely right! I apologize for my oversight. The link you provided points to the correct solution. The
PREFECT_CLIENT_CUSTOM_HEADERS Copy code
yaml
name: Deploy Prefect Flow
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# Set up Python
- uses: actions/setup-python@v4
with:
python-version: '3.10'
# Authenticate to Google Cloud
- id: 'auth'
uses: 'google-github-actions/auth@v1'
with:
credentials_json: '${{ secrets.GCP_SA_KEY }}'
# Get IAP token
- name: Get IAP token
run: |
pip install google-auth requests
python -c '
from google.oauth2 import service_account
from google.auth.transport.requests import Request
import os
import json
credentials = service_account.Credentials.from_service_account_info(
json.loads("""${{ secrets.GCP_SA_KEY }}"""),
["<https://www.googleapis.com/auth/cloud-platform>"]
)
request = Request()
credentials.refresh(request)
# Set the headers as a JSON string
headers = json.dumps({"Authorization": f"Bearer {credentials.token}"})
with open(os.environ["GITHUB_ENV"], "a") as f:
f.write(f"PREFECT_CLIENT_CUSTOM_HEADERS={headers}\n")
'
# Set up Prefect
- name: Setup Prefect
run: |
pip install prefect
prefect config set PREFECT_API_URL=${{ secrets.PREFECT_API_URL }}
# Deploy your flow
- name: Deploy Flow
run: |
prefect deploy ... # Your deployment command herePREFECT_CLIENT_CUSTOM_HEADERSPREFECT_API_HEADERSu
최영범
07/19/2025, 8:08 PM@Marvin Actually, I've already tried that. the response of
prefect deploy ~m
Marvin
07/19/2025, 8:08 PM✅ thought for 33.2 seconds
Marvin
07/19/2025, 8:08 PMIf you're still getting an IAP login prompt even after setting
PREFECT_CLIENT_CUSTOM_HEADERS Copy code
yaml
- name: Get IAP token and debug
run: |
python -c '
from google.oauth2 import service_account
from google.auth.transport.requests import Request
import os
import json
credentials = service_account.Credentials.from_service_account_info(
json.loads("""${{ secrets.GCP_SA_KEY }}"""),
["<https://www.googleapis.com/auth/cloud-platform>"]
)
request = Request()
credentials.refresh(request)
# Debug print the token (careful with sensitive info in logs)
print("Token generated successfully:", bool(credentials.token))
print("Token length:", len(credentials.token) if credentials.token else 0)
# You might also want to verify the token format
headers = json.dumps({"Authorization": f"Bearer {credentials.token}"})
print("Headers JSON format:", headers)
with open(os.environ["GITHUB_ENV"], "a") as f:
f.write(f"PREFECT_CLIENT_CUSTOM_HEADERS={headers}\n")
' Copy code
yaml
- name: Test IAP token
run: |
TOKEN=$(python -c '
# ... same token generation code as above ...
print(credentials.token)
')
curl -v -H "Authorization: Bearer $TOKEN" ${{ secrets.PREFECT_API_URL }}/api/health Copy code
python
credentials = service_account.Credentials.from_service_account_info(
json.loads("""${{ secrets.GCP_SA_KEY }}"""),
["<https://www.googleapis.com/auth/cloud-platform>"],
target_audience=f"<https://iap.googleapis.com/projects/{PROJECT_NUMBER}/global/backend-services/{BACKEND_SERVICE_ID}>"
)Marvin
07/20/2025, 7:19 AM✅ thought for 44.7 seconds
Marvin
07/20/2025, 7:19 AMBased on the research and error message, here are a few potential solutions to try:
1. First, check if PREFECT_API_KEY is set:
Copy code
bash
# In your GitHub Actions workflow, verify no API key is set
echo "Checking for PREFECT_API_KEY..."
env | grep PREFECT_API_KEY Copy code
yaml
- name: Setup Prefect
run: |
pip install prefect
prefect config set PREFECT_API_URL=${{ secrets.PREFECT_API_URL }}
# If using basic auth, set the credentials
prefect config set PREFECT_API_AUTH_CREDENTIALS=${{ secrets.PREFECT_API_AUTH_CREDENTIALS }} # format: "username:password" Copy code
python
server:
api:
auth_string: "admin:password" # Replace with your actual credentials Copy code
yaml
- name: Debug Headers
run: |
python -c '
import os
import json
# Print current headers
headers = os.getenv("PREFECT_CLIENT_CUSTOM_HEADERS", "{}")
print("Current headers:", headers)
# For basic auth + IAP, you might need to combine both
combined_headers = {
"Authorization": "Bearer YOUR_IAP_TOKEN",
# Add basic auth if needed
# "Authorization-Basic": "base64_encoded_credentials"
}
# Set the combined headers
with open(os.environ["GITHUB_ENV"], "a") as f:
f.write(f"PREFECT_CLIENT_CUSTOM_HEADERS={json.dumps(combined_headers)}\n")
'PREFECT_API_KEY Copy code
bash
PREFECT_LOGGING_LEVEL=DEBUG prefect work-pool lsu
최영범
07/20/2025, 7:21 AM@Marvin I'm running self-hosted prefect server. Do I need to use api key?
m
Marvin
07/20/2025, 7:21 AM✅ thought for 41.2 seconds
Marvin
07/20/2025, 7:22 AMNo, you do not need (and should not use) an API key for a self-hosted Prefect server. In fact, having
PREFECT_API_KEY Copy code
bash
# Check if API key is set
unset PREFECT_API_KEY
# Also remove it from any environment variables in GitHub Actions if present Copy code
python
# In your server configuration
server:
api:
auth_string: "admin:yourpassword" # Replace with your desired credentials Copy code
yaml
- name: Setup Prefect
run: |
prefect config set PREFECT_API_URL=${{ secrets.PREFECT_API_URL }}
prefect config set PREFECT_API_AUTH_CREDENTIALS=${{ secrets.PREFECT_API_AUTH_CREDENTIALS }} # format: "username:password" Copy code
yaml
- name: Set Headers
run: |
python -c '
import json
import os
# Your existing IAP token generation code here
# ...
headers = {
"Authorization": f"Bearer {credentials.token}"
}
with open(os.environ["GITHUB_ENV"], "a") as f:
f.write(f"PREFECT_CLIENT_CUSTOM_HEADERS={json.dumps(headers)}\n")
'PREFECT_API_KEYu
최영범
07/20/2025, 10:40 AM@Marvin i got these error below,
Traceback (most recent call last):
File "/opt/hostedtoolcache/Python/3.13.5/x64/lib/python3.13/site-packages/prefect/cli/_utilities.py", line 44, in wrapper
return fn(*args, **kwargs)
File "/opt/hostedtoolcache/Python/3.13.5/x64/lib/python3.13/site-packages/prefect/cli/_types.py", line 156, in sync_fn
return asyncio.run(async_fn(*args, **kwargs))
~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/hostedtoolcache/Python/3.13.5/x64/lib/python3.13/asyncio/runners.py", line 195, in run
return runner.run(main)
~~~~~~~~~~^^^^^^
File "/opt/hostedtoolcache/Python/3.13.5/x64/lib/python3.13/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^
File "/opt/hostedtoolcache/Python/3.13.5/x64/lib/python3.13/asyncio/base_events.py", line 725, in run_until_complete
return future.result()
~~~~~~~~~~~~~^^
File "/opt/hostedtoolcache/Python/3.13.5/x64/lib/python3.13/site-packages/prefect/cli/work_pool.py", line 295, in ls
pools = await client.read_work_pools()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/hostedtoolcache/Python/3.13.5/x64/lib/python3.13/site-packages/prefect/client/orchestration/_work_pools/client.py", line 454, in read_work_pools
response = await self.request("POST", "/work_pools/filter", json=body)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/hostedtoolcache/Python/3.13.5/x64/lib/python3.13/site-packages/prefect/client/orchestration/base.py", line 53, in request
return await self._client.send(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/hostedtoolcache/Python/3.13.5/x64/lib/python3.13/site-packages/prefect/client/base.py", line 379, in send
response.raise_for_status()
~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/opt/hostedtoolcache/Python/3.13.5/x64/lib/python3.13/site-packages/prefect/client/base.py", line 163, in raise_for_status
raise PrefectHTTPStatusError.from_httpx_error(exc) from exc.cause
prefect.exceptions.PrefectHTTPStatusError: Client error '401 Unauthorized' for url 'https://prefect-server-1030217702417.asia-northeast3.run.app/api/work_pools/filter'
m
Marvin
07/20/2025, 10:40 AM✅ thought for 77.5 seconds
Marvin
07/20/2025, 10:42 AMBased on the error and the context, let's try to debug this step by step:
1. First, let's verify your current IAP token setup. Could you try this modified script that includes more debugging information:
Copy code
yaml
- name: Debug Authentication
run: |
python -c '
from google.oauth2 import service_account
from google.auth.transport.requests import Request
import os
import json
import requests
# Load credentials
credentials = service_account.Credentials.from_service_account_info(
json.loads("""${{ secrets.GCP_SA_KEY }}"""),
["<https://www.googleapis.com/auth/cloud-platform>"]
)
request = Request()
credentials.refresh(request)
# Print token info (safely)
print("Token exists:", bool(credentials.token))
print("Token length:", len(credentials.token) if credentials.token else 0)
# Test the token with a direct request
headers = {"Authorization": f"Bearer {credentials.token}"}
test_url = "${{ secrets.PREFECT_API_URL }}/api/health"
print("\nTesting direct request to health endpoint...")
response = requests.get(test_url, headers=headers)
print(f"Status code: {response.status_code}")
# Set headers for Prefect
headers_json = json.dumps(headers)
print("\nSetting headers:", headers_json)
with open(os.environ["GITHUB_ENV"], "a") as f:
f.write(f"PREFECT_CLIENT_CUSTOM_HEADERS={headers_json}\n")
' Copy code
yaml
- name: Debug Prefect Config
run: |
echo "Current Prefect configuration:"
prefect config view
# Try a simple API request with debug logging
PREFECT_LOGGING_LEVEL=DEBUG prefect work-pool ls Copy code
python
# prefect server configuration
server:
api:
# Check if any authentication is configured here
auth_string: null # or "username:password" if using basic auth Copy code
yaml
- name: Setup Prefect with Debug
env:
PREFECT_LOGGING_LEVEL: DEBUG
PREFECT_CLIENT_CONNECT_TIMEOUT: 60 # Increase timeout for debugging
run: |
# Clear any existing API key
unset PREFECT_API_KEY
# Set the API URL
prefect config set PREFECT_API_URL=${{ secrets.PREFECT_API_URL }}
# Try the command
prefect work-pool lsu
최영범
07/20/2025, 10:53 AM@Marvin below is settings of my prefect self-hosted server. Is the base-auth disabled now?
api: {
"url": "***",
"auth_string": null,
"key": null,
"tls_insecure_skip_verify": false,
"ssl_cert_file": null,
"enable_http2": false,
"request_timeout": 60
}
m
Marvin
07/20/2025, 10:53 AM✅ thought for 12.3 seconds
Marvin
07/20/2025, 10:53 AMYes, looking at your server configuration:
Copy code
json
api: {
"auth_string": null, // Basic auth is disabled
"key": null, // API key auth is disabled
...
}auth_string: nullkey: nullPREFECT_API_AUTH_CREDENTIALSPREFECT_API_KEY Copy code
yaml
- name: Setup IAP Authentication
run: |
python -c '
from google.oauth2 import service_account
from google.auth.transport.requests import Request
import os
import json
# Generate IAP token
credentials = service_account.Credentials.from_service_account_info(
json.loads("""${{ secrets.GCP_SA_KEY }}"""),
["<https://www.googleapis.com/auth/cloud-platform>"]
)
request = Request()
credentials.refresh(request)
# Set only the IAP header
headers = {
"Authorization": f"Bearer {credentials.token}"
}
# Set for Prefect client
with open(os.environ["GITHUB_ENV"], "a") as f:
f.write(f"PREFECT_CLIENT_CUSTOM_HEADERS={json.dumps(headers)}\n")
'
- name: Setup Prefect
run: |
# Only set the API URL
prefect config set PREFECT_API_URL=${{ secrets.PREFECT_API_URL }}
- name: Deploy Flow
run: |
prefect deploy ... # Your deployment command Copy code
yaml
- name: Test IAP Authentication
run: |
python -c '
import requests
import os
import json
headers = json.loads(os.environ["PREFECT_CLIENT_CUSTOM_HEADERS"])
response = requests.get(
"${{ secrets.PREFECT_API_URL }}/api/health",
headers=headers
)
print(f"Status code: {response.status_code}")
print(f"Response: {response.text if response.ok else "Failed"}")
'u
최영범
07/20/2025, 11:52 AM@Marvin here's the test result
Run python -c '
python -c '
import requests
import os
import json
headers = json.loads(os.environ["PREFECT_CLIENT_CUSTOM_HEADERS"])
response = requests.get(
"https://prefect-server-1030217702417.asia-northeast3.run.app/api/api/health",
headers=headers
)
print(f"Status code: {response.status_code}")
print(f"Response: {response.text if response.ok else "Failed"}")
'
shell: /usr/bin/bash -e {0}
env:
PREFECT_API_URL: https://prefect-server-1030217702417.asia-northeast3.run.app/api
PREFECT_CLIENT_CSRF_SUPPORT_ENABLED: false
pythonLocation: /opt/hostedtoolcache/Python/3.13.5/x64
PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.13.5/x64/lib/pkgconfig
Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.5/x64
Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.5/x64
Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.5/x64
LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.13.5/x64/lib
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/ml-data-pipeline/ml-data-pipeline/gha-creds-eef47a1064facdaa.json
GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/ml-data-pipeline/ml-data-pipeline/gha-creds-eef47a1064facdaa.json
GOOGLE_GHA_CREDS_PATH: /home/runner/work/ml-data-pipeline/ml-data-pipeline/gha-creds-eef47a1064facdaa.json
CLOUDSDK_CORE_PROJECT: solvook-infra
CLOUDSDK_PROJECT: solvook-infra
GCLOUD_PROJECT: solvook-infra
GCP_PROJECT: solvook-infra
GOOGLE_CLOUD_PROJECT: solvook-infra
PREFECT_CLIENT_CUSTOM_HEADERS: {"Authorization":"***"}
Status code: 401
Response: Failed
m
Marvin
07/20/2025, 11:52 AM✅ thought for 15.6 seconds
Marvin
07/20/2025, 11:52 AMI notice an issue with your test URL. You have a duplicate "api" in the path:
Copy code
python
"<https://prefect-server-1030217702417.asia-northeast3.run.app/api/api/health>"
^^^^^^^^ Copy code
python
"<https://prefect-server-1030217702417.asia-northeast3.run.app/api/health>" Copy code
yaml
- name: Test IAP Authentication
run: |
python -c '
import requests
import os
import json
# Get the base URL from environment
base_url = os.environ["PREFECT_API_URL"]
# Remove any trailing /api if present
if base_url.endswith("/api"):
base_url = base_url[:-4]
# Construct the health check URL
health_url = f"{base_url}/api/health"
# Get headers
headers = json.loads(os.environ["PREFECT_CLIENT_CUSTOM_HEADERS"])
print(f"Testing URL: {health_url}")
print(f"Headers (safely): {json.dumps({k: "***" if k.lower() == "authorization" else v for k, v in headers.items()})}")
# Make request with debug info
try:
response = requests.get(
health_url,
headers=headers,
timeout=30
)
print(f"\nStatus code: {response.status_code}")
print(f"Response headers: {dict(response.headers)}")
print(f"Response: {response.text if response.ok else "Failed"}")
except Exception as e:
print(f"Request failed with error: {str(e)}")
' Copy code
yaml
- name: Debug IAP Token Generation
run: |
python -c '
from google.oauth2 import service_account
from google.auth.transport.requests import Request
import os
import json
# Load credentials
credentials = service_account.Credentials.from_service_account_info(
json.loads(open(os.environ["GOOGLE_APPLICATION_CREDENTIALS"]).read()),
["<https://www.googleapis.com/auth/cloud-platform>"]
)
# Add IAP audience
credentials = credentials.with_audience(
f"<https://iap.googleapis.com/projects/{os.environ[>"GOOGLE_CLOUD_PROJECT"]}/global/backendServices/YOUR_BACKEND_SERVICE_ID"
)
request = Request()
credentials.refresh(request)
print("Token generation successful")
print(f"Token type: {type(credentials.token)}")
print(f"Token length: {len(credentials.token) if credentials.token else 0}")
# Set headers with the new token
headers = {
"Authorization": f"Bearer {credentials.token}"
}
with open(os.environ["GITHUB_ENV"], "a") as f:
f.write(f"PREFECT_CLIENT_CUSTOM_HEADERS={json.dumps(headers)}\n")
'YOUR_BACKEND_SERVICE_IDPREFECT_API_URLu
최영범
07/20/2025, 11:55 AM@Marvin I've run the test again with the url fixed
Run python -c '
python -c '
import requests
import os
import json
headers = json.loads(os.environ["PREFECT_CLIENT_CUSTOM_HEADERS"])
response = requests.get(
"https://prefect-server-1030217702417.asia-northeast3.run.app/api/health",
headers=headers
)
print(f"Status code: {response.status_code}")
print(f"Response: {response.text if response.ok else "Failed"}")
'
shell: /usr/bin/bash -e {0}
env:
PREFECT_API_URL: https://prefect-server-1030217702417.asia-northeast3.run.app/api
PREFECT_CLIENT_CSRF_SUPPORT_ENABLED: false
pythonLocation: /opt/hostedtoolcache/Python/3.13.5/x64
PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.13.5/x64/lib/pkgconfig
Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.5/x64
Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.5/x64
Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.5/x64
LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.13.5/x64/lib
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/ml-data-pipeline/ml-data-pipeline/gha-creds-f61a23eeb72710aa.json
GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/ml-data-pipeline/ml-data-pipeline/gha-creds-f61a23eeb72710aa.json
GOOGLE_GHA_CREDS_PATH: /home/runner/work/ml-data-pipeline/ml-data-pipeline/gha-creds-f61a23eeb72710aa.json
CLOUDSDK_CORE_PROJECT: solvook-infra
CLOUDSDK_PROJECT: solvook-infra
GCLOUD_PROJECT: solvook-infra
GCP_PROJECT: solvook-infra
GOOGLE_CLOUD_PROJECT: solvook-infra
PREFECT_CLIENT_CUSTOM_HEADERS: {"Authorization":"***"}
Status code: 401
Response: Failed
m
Marvin
07/20/2025, 11:55 AM✅ thought for 13.9 seconds
Marvin
07/20/2025, 11:55 AMI notice that we need to specifically handle the IAP audience for the token. For Cloud Run with IAP, the token needs a specific audience format. Let's modify the token generation:
Copy code
yaml
- name: Generate IAP Token
run: |
python -c '
from google.oauth2 import service_account
from google.auth.transport.requests import Request
import os
import json
# Load credentials
credentials = service_account.Credentials.from_service_account_info(
json.loads(open(os.environ["GOOGLE_APPLICATION_CREDENTIALS"]).read()),
["<https://www.googleapis.com/auth/cloud-platform>"]
)
# For Cloud Run with IAP, the audience format is:
# <https://YOUR_REGION-run.googleapis.com/projects/PROJECT_NUMBER/locations/REGION/services/SERVICE_NAME>
project_number = "1030217702417" # From your URL
region = "asia-northeast3" # From your URL
service_name = "prefect-server" # From your URL
audience = f"https://{region}-<http://run.googleapis.com/projects/{project_number}/locations/{region}/services/{service_name}|run.googleapis.com/projects/{project_number}/locations/{region}/services/{service_name}>"
# Add the correct audience
credentials = credentials.with_audience(audience)
request = Request()
credentials.refresh(request)
print("Token details:")
print(f"Audience: {audience}")
print(f"Token length: {len(credentials.token) if credentials.token else 0}")
# Set headers with the new token
headers = {
"Authorization": f"Bearer {credentials.token}"
}
with open(os.environ["GITHUB_ENV"], "a") as f:
f.write(f"PREFECT_CLIENT_CUSTOM_HEADERS={json.dumps(headers)}\n")
'
- name: Test IAP Authentication
run: |
python -c '
import requests
import os
import json
url = "<https://prefect-server-1030217702417.asia-northeast3.run.app/api/health>"
headers = json.loads(os.environ["PREFECT_CLIENT_CUSTOM_HEADERS"])
print(f"Testing URL: {url}")
print(f"Headers present: {list(headers.keys())}")
response = requests.get(
url,
headers=headers,
timeout=30
)
print(f"\nStatus code: {response.status_code}")
if not response.ok:
print(f"Response headers: {dict(response.headers)}")
print(f"Response body: {response.text}")
'u
최영범
07/20/2025, 2:34 PM@Marvin I'm already generating iap token from github action
Copy code
- id: 'auth'
uses: 'google-github-actions/auth@v2'
with:
project_id: '***'
workload_identity_provider: 'projects/***/locations/global/workloadIdentityPools/ml-team-pool/providers/github-action'
service_account: 'ml-github-sa@***.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>'
token_format: 'id_token'
id_token_audience: '<https://prefect-server>-***.<http://asia-northeast3.run.app|asia-northeast3.run.app>'m
Marvin
07/20/2025, 2:34 PM✅ thought for 12.7 seconds
Marvin
07/20/2025, 2:34 PMAh, I see! You're using Workload Identity Federation with GitHub Actions and generating an ID token. This is a different approach from what I suggested earlier. Let's modify the setup to use this ID token correctly.
When using
google-github-actions/authtoken_format: 'id_token' Copy code
yaml
- id: 'auth'
uses: 'google-github-actions/auth@v2'
with:
project_id: '***'
workload_identity_provider: 'projects/***/locations/global/workloadIdentityPools/ml-team-pool/providers/github-action'
service_account: 'ml-github-sa@***.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>'
token_format: 'id_token'
id_token_audience: '<https://prefect-server>-***.<http://asia-northeast3.run.app|asia-northeast3.run.app>'
- name: Set Prefect Headers
run: |
python -c '
import os
import json
# Get the ID token from the previous step
id_token = """${{ steps.auth.outputs.id_token }}"""
# Set the headers with the ID token
headers = {
"Authorization": f"Bearer {id_token}"
}
# Set for Prefect client
with open(os.environ["GITHUB_ENV"], "a") as f:
f.write(f"PREFECT_CLIENT_CUSTOM_HEADERS={json.dumps(headers)}\n")
'
- name: Test IAP Authentication
run: |
python -c '
import requests
import os
import json
url = "${{ secrets.PREFECT_API_URL }}/health"
headers = json.loads(os.environ["PREFECT_CLIENT_CUSTOM_HEADERS"])
print(f"Testing URL: {url}")
print(f"Headers present: {list(headers.keys())}")
try:
response = requests.get(
url,
headers=headers,
timeout=30
)
print(f"\nStatus code: {response.status_code}")
if not response.ok:
print(f"Response headers: {dict(response.headers)}")
except Exception as e:
print(f"Request failed: {str(e)}")
'
- name: Setup Prefect
run: |
prefect config set PREFECT_API_URL=${{ secrets.PREFECT_API_URL }}google-github-actions/authAuthorizationid_token_audienceroles/iap.httpsResourceAccessoru
최영범
07/20/2025, 2:37 PM@Marvin and also, i'm already setting
PREFECT_CLIENT_CUSTOM_HEADERS Copy code
- name: Set Prefect Custom Headers with ID Token
run: |
unset PREFECT_API_KEY
echo "PREFECT_CLIENT_CUSTOM_HEADERS={\"Authorization\":\"Bearer ${{ steps.auth.outputs.id_token }}\"}" >> $GITHUB_ENVm
Marvin
07/20/2025, 2:37 PM✅ thought for 18.3 seconds
Marvin
07/20/2025, 2:37 PMI see! You're already setting up the
PREFECT_CLIENT_CUSTOM_HEADERS Copy code
yaml
- name: Debug Headers and Test Connection
run: |
python -c '
import os
import json
import requests
from urllib.parse import urljoin
# Debug current environment
headers = json.loads(os.environ.get("PREFECT_CLIENT_CUSTOM_HEADERS", "{}"))
api_url = os.environ.get("PREFECT_API_URL", "")
print("Debug Information:")
print(f"API URL: {api_url}")
print(f"Headers present: {list(headers.keys())}")
print(f"Authorization header starts with: {headers.get('Authorization', '')[:20]}...")
# Test basic endpoint
health_url = urljoin(api_url, "health")
print(f"\nTesting health endpoint: {health_url}")
try:
response = requests.get(
health_url,
headers=headers,
timeout=30
)
print(f"Status code: {response.status_code}")
print(f"Response headers: {dict(response.headers)}")
if response.status_code == 401:
print("\nPossible issues:")
print("1. Token might be expired")
print("2. Token audience might not match")
print("3. IAP might be expecting different header format")
except Exception as e:
print(f"Request failed: {str(e)}")
' Copy code
yaml
- uses: 'google-github-actions/auth@v2'
id: 'auth'
with:
project_id: '***'
workload_identity_provider: 'projects/***/locations/global/workloadIdentityPools/ml-team-pool/providers/github-action'
service_account: 'ml-github-sa@***.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>'
token_format: 'id_token'
id_token_audience: '<https://prefect-server>-***.<http://asia-northeast3.run.app|asia-northeast3.run.app>'
- name: Set Prefect Custom Headers with ID Token
run: |
unset PREFECT_API_KEY
echo "PREFECT_CLIENT_CUSTOM_HEADERS={\"Authorization\":\"Bearer ${{ steps.auth.outputs.id_token }}\"}" >> $GITHUB_ENV
- name: Configure Prefect
run: |
prefect config set PREFECT_API_URL=${{ secrets.PREFECT_API_URL }}
# Debug Prefect configuration
echo "Current Prefect Configuration:"
prefect config view Copy code
yaml
- name: Test with curl
run: |
# Test the health endpoint
curl -v -H "Authorization: Bearer ${{ steps.auth.outputs.id_token }}" ${{ secrets.PREFECT_API_URL }}/healthid_token_audienceu
최영범
07/20/2025, 2:42 PM@Marvin Here's curl response
Copy code
> GET /api/health HTTP/2
> Host: prefect-server-***.<http://asia-northeast3.run.app|asia-northeast3.run.app>
> User-Agent: curl/8.5.0
> Accept: */*
> Authorization: ***
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [282 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [282 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
< HTTP/2 401
< x-goog-iap-generated-response: true
< date: Sun, 20 Jul 2025 14:40:48 GMT
< content-type: text/html
< server: Google Frontend
< content-length: 57
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
{ [57 bytes data]
100 57 100 57 0 0 243 0 --:--:-- --:--:-- --:--:-- 243
* Connection #0 to host prefect-server-***.<http://asia-northeast3.run.app|asia-northeast3.run.app> left intact
Invalid IAP credentials: JWT 'email' claim isn't a stringm
Marvin
07/20/2025, 2:42 PM✅ thought for 10.1 seconds
Marvin
07/20/2025, 2:42 PMAh! The error message is very helpful:
Invalid IAP credentials: JWT 'email' claim isn't a string Copy code
yaml
- uses: 'google-github-actions/auth@v2'
id: 'auth'
with:
project_id: '***'
workload_identity_provider: 'projects/***/locations/global/workloadIdentityPools/ml-team-pool/providers/github-action'
service_account: 'ml-github-sa@***.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>'
token_format: 'id_token'
id_token_audience: '<https://prefect-server>-***.<http://asia-northeast3.run.app|asia-northeast3.run.app>'
# Add these claims that IAP requires
id_token_include_email: true
additional_claims: |
{
"email": "${{ vars.SERVICE_ACCOUNT_EMAIL }}",
"sub": "${{ vars.SERVICE_ACCOUNT_EMAIL }}"
}
- name: Set Prefect Custom Headers with ID Token
run: |
unset PREFECT_API_KEY
echo "PREFECT_CLIENT_CUSTOM_HEADERS={\"Authorization\":\"Bearer ${{ steps.auth.outputs.id_token }}\"}" >> $GITHUB_ENVid_token_include_email: trueadditional_claimsSERVICE_ACCOUNT_EMAILml-github-sa@***.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>roles/iap.httpsResourceAccessoru
최영범
07/20/2025, 2:46 PM@Marvin I've done for only Key Changes 1.
and heres result below
Copy code
> GET /api/health HTTP/2
> Host: prefect-server-***.<http://asia-northeast3.run.app|asia-northeast3.run.app>
> User-Agent: curl/8.5.0
> Accept: */*
> Authorization: ***
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [282 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [282 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0< HTTP/2 401
< x-goog-iap-generated-response: true
< date: Sun, 20 Jul 2025 14:43:57 GMT
< content-type: text/html
< server: Google Frontend
< content-length: 68
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
{ [68 bytes data]
100 68 100 68 0 0 177 0 --:--:-- --:--:-- --:--:-- 177
* Connection #0 to host prefect-server-***.<http://asia-northeast3.run.app|asia-northeast3.run.app> left intact
Invalid IAP credentials: Invalid bearer token. Invalid JWT audience.m
Marvin
07/20/2025, 2:46 PM✅ thought for 10.3 seconds
Marvin
07/20/2025, 2:47 PMAh, now we're getting a different error:
Invalid IAP credentials: Invalid bearer token. Invalid JWT audienceid_token_audience Copy code
yaml
- uses: 'google-github-actions/auth@v2'
id: 'auth'
with:
project_id: '***'
workload_identity_provider: 'projects/***/locations/global/workloadIdentityPools/ml-team-pool/providers/github-action'
service_account: 'ml-github-sa@***.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>'
token_format: 'id_token'
id_token_include_email: true
# Update the audience format for IAP
id_token_audience: '/projects/YOUR_PROJECT_NUMBER/global/backendServices/YOUR_BACKEND_SERVICE_ID'
- name: Set Prefect Custom Headers with ID Token
run: |
unset PREFECT_API_KEY
echo "PREFECT_CLIENT_CUSTOM_HEADERS={\"Authorization\":\"Bearer ${{ steps.auth.outputs.id_token }}\"}" >> $GITHUB_ENV Copy code
bash
gcloud iap oauth-clients list --project=YOUR_PROJECT_ID Copy code
/projects/PROJECT_NUMBER/global/backendServices/BACKEND_SERVICE_IDid_token_audience2 Views