How to invoke gcp gen 2 cloud function from dotne core application with jwt authentication

I have created 2nd generation cloud function in gcp and deafult service account is attached to it.For security concern I have created another service account account2 and give appropriate permissions to it like function invoker.
But for calling this function from dotnet core we have to pass jwt token, How to create jwt token for account2?

I don't really know why you need an additional service account to invoke your functions (you could use this account2 as runtime service account on your Cloud Functions for instance...)

The cleanest and safest solution is to use service account impersonation. The principle is the following: you autorise the current runtime service account (account1) to impersonate (to create a token on behalf of) the service account2

Because you will use the permission of the service account 2 by impersonation, you will be able to invoke your function.

To achieve that, your runtime service account must have the role "Service Account Token Creator" on the account2 (or more widely on the project, but it's better to narrow the scope of the role). Then, you can use this Python code

import google.oauth2.id_token
import google.auth.transport.requests
from google.auth.impersonated_credentials import IDTokenCredentials
SCOPES = ['https://www.googleapis.com/auth/cloud-platform']

request = google.auth.transport.requests.Request()

audience = 'my_cloud_function_url'

creds, _ = google.auth.default(scopes=SCOPES)

icreds = google.auth.impersonated_credentials.Credentials(
        source_credentials=creds,
        target_principal="<Service account2>",
        target_scopes=SCOPES)

id = IDTokenCredentials(icreds, target_audience=audience,include_email=True)
print(id.token)
#example of raw idToken

from google.auth.transport.requests import AuthorizedSession
authed_session = AuthorizedSession(icreds)
request = google.auth.transport.requests.Request(session=authed_session)

# Use your request to post, get, put....

Note: You can find solution with service account key file, and it's a bad practice, as mentioned in the documentation here in the note

In the blog “How to create a JWT token from Google Cloud Service Account Key” written by Rajathithan Rajasekar, there is a detailed explanation on creating a JWT token using python. Follow the below steps mentioned in the blog for creating the JWT token and use it in your .Net application.

• Create a project directory in your local system or server
• Create a .py file for writing your python script
• Open your python script and write the import statements for all the
  required packages
• Define all the required variables like service account cred path, keyfile
  path, service-account email address, audience and expiry_length (TTL)
• Pass the required values like expiry, issuer, audience and email address
  etc.
• Send the signed payload and retrieve the JWT token

The below code which is given in the above blog will return the signed JWT token you can use in your .Net application for performing required functions.

> from google.auth import crypt
> from google.auth import jwt
> import os
> import io
> import json
> import time
>
> # Service account key path
> credential_path = "service-account-key.json"
> os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = credential_path
>
> sa_keyfile = credential_path
>
> # Get service account email and load the json data from the service account key file.
> with io.open(credential_path, "r", encoding="utf-8") as json_file:
> data = json.loads(json_file.read())
> sa_email = data['client_email']
>
> audience = "https://yourcloudendpoint"
> # e.g : "https://pubsub.googleapis.com/google.pubsub.v1.Publisher"
> # If you use cloud endpoints for you API, you can take the x-google-audiences value in your security definitions.
>
> # Expiry time for your JWT token
> expiry_length = 1000
>
>
> def generate_jwt(sa_keyfile,
> sa_email,
> audience,
> expiry_length=1000):
> """Generates a signed JSON Web Token using a Google API Service Account."""
>
> now = int(time.time())
>
> # build payload
> payload = {
> 'iat': now,
> # expires after 'expiry_length' seconds.
> "exp": now + expiry_length,
> # iss must match 'issuer' in the security configuration in your
> # swagger spec (e.g. service account email). It can be any string.
> 'iss': sa_email,
> # aud must be either your Endpoints service name, or match the value
> # specified as the 'x-google-audience' in the OpenAPI document.
> 'aud': audience,
> # sub and email should match the service account's email address
> 'sub': sa_email,
> 'email': sa_email
> }
>
> # sign with keyfile
> signer = crypt.RSASigner.from_service_account_file(sa_keyfile)
> jwt_token = jwt.encode(signer, payload)
> # print(jwt_token.decode('utf-8'))
> return jwt_token
>
>
> signed_jwt = generate_jwt(sa_keyfile, sa_email, audience)
> print(signed_jwt)

Note: The code and the content is taken from the blog which is mentioned in the post.

Update:

As @guillaumeblaquiere said it's indeed a bad practice to use the keyfiles but if your implementation requires you to use them, you can encrypt them or use a keymanager instead of having a localized copies of your keyfile. Additional measures needs to be taken like rotating the keys for every period of time. I have suggested this because you have asked about using the JWT token. I forgot to add this point in the solution.