I think you got the correct idea. However I am not sure if the guide here about signed headers is useful. In terms of access control, the role "IAP-secured web app" user should be sufficient. I assume that your concern here is not about authorization <https://cloud.google.com/iap/docs/concepts-overview#authorization> (access control/IAM) with IAP but about authenticating <https://cloud.google.com/iap/docs/concepts-overview#authentication> the service account with IAP. For a user with a Google account this usually happens through the browser. However, using the service account from App Engine requires different methods. The easiest might be "Obtaining an OIDC token for the default service account" as explained in this article <https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_service_account>. I hope this helps.
-- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/9b36a6a7-d317-484c-9f76-00c17655d92cn%40googlegroups.com.