Skip to content
CTRL K
    Docs Standalone Kubernetes Models Blog Enterprise Community Get Started GitHub
    🎯 New workshop: Govern AI Costs in Real Time — Hands-On with agentgateway agentgateway has joined the Agentic AI FoundationLearn more

    For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.

    Page as Markdown
    GCP backend authentication
    Authenticate to Google Cloud Platform (GCP) backends from the gateway using GCP authentication.
    Configure authentication for backends in Google Cloud Platform (GCP) with an AgentgatewayPolicy.
    By default, the proxy uses ambient credentials from the cluster provider environment, such as Workload Identity on GKE, or the GOOGLE_APPLICATION_CREDENTIALS environment variable set to a service account key file. To use token-based credentials, apply an AgentgatewayPolicy with GCP auth to your backend.
    Before you begin

    Before you begin

    1. Set up an agentgateway proxy.
    2. Install the httpbin sample app.
    Configure GCP backend authentication

    Create an AgentgatewayPolicy that uses GCP authentication to sign requests to your backend.
    For access token authentication (used for most GCP services):
    kubectl apply -f- <<EOF
apiVersion: agentgateway.dev/v1alpha1
kind: AgentgatewayPolicy
metadata:
  name: gcp-backend-auth
  namespace: agentgateway-system
spec:
  targetRefs:
    - group: agentgateway.dev
      kind: AgentgatewayBackend
      name: my-gcp-backend
  backend:
    auth:
      gcp:
        type: AccessToken
EOF
    For ID token authentication (used for Cloud Run and other audience-based services):
    kubectl apply -f- <<EOF
apiVersion: agentgateway.dev/v1alpha1
kind: AgentgatewayPolicy
metadata:
  name: gcp-backend-auth
  namespace: agentgateway-system
spec:
  targetRefs:
    - group: agentgateway.dev
      kind: AgentgatewayBackend
      name: my-gcp-backend
  backend:
    auth:
      gcp:
        type: IdToken
        audience: "https://my-cloudrun-service-xyz.run.app"
EOF
    FieldDescription
    backend.auth.gcp.typeThe type of token to generate. AccessToken is used for most GCP services; IdToken is used for Cloud Run.
    backend.auth.gcp.audienceExplicit aud claim for the ID token. Only valid with IdToken type. Derived from the backend hostname when omitted.
    Cleanup

    kubectl delete AgentgatewayPolicy gcp-backend-auth -n agentgateway-system
    JWT authLocal rate limiting
    Was this page helpful?
    

    
Agentgateway assistant
    


    Ask me anything about agentgateway configuration, features, or usage.
    Note: AI-generated content might contain errors; please verify and test all returned information.
    Tip: one topic per conversation gives the best results. Use the + button in the chat header to start a new conversation.
    Switching topics? Starting a new conversation improves accuracy.

    ↑↓ navigate
 select
esc dismiss
    

    

    What could be improved?
    Your feedback helps us improve assistant answers and identify docs gaps we should fix.
    Need more help? Join us on Discord:
https://discord.gg/y9efgEmppm
    Want to use your own agent? Add the Solo MCP server to query our docs directly. Get started here:
https://search.solo.io/.