Reputation: 2642
How to allow a public Google Run Instance to communicate to a *private* Google Run Instance?
I have to docker images A and B running on google run. A need a small memory footprint and slow scaling (it is the front end) and B needs a high memory foot-sprint and heavy scaling under load (it is the backend).
I have made A public (allUser can touch :80 ), and B private (I didn't checked the checkbox). Since google cloud instance doesn't have a static IP but a dynamic URL, how can I make A "speak" to B (through http) while maintaining B inaccessible from the wild ?
Right now, the only work around I found is to open HTTP ports to allUser for both and use a sub domain name for B (like b.my.app) and call "http://b.my.app" from A.
This is a very bad solution since B can be touched from outside google's network.
Upvotes: 1
Views: 92
Answers (1)
Reputation: 81336
Since service B is private (requires authentication), service A will need to include an HTTP Authorization header in requests to service B.
The header looks like this:
Authorization: Bearer <replace_with_token
The token is an OAuth 2.0 Identity Token (not an Access Token). The IAM member email address for the User Credentials or Service Account is added to service B with the role roles/run.invoker.
You will still need to call the endpoint URL (xxx.y.run.app) of service B. That does not change unless you also implement Custom Domains.
A nice feature of Cloud Run is that when authentication is required, the Cloud Run Proxy handles this for you. The Proxy sits in front of Cloud Run and blocks all unathorized requests. Your instance is never launched so there is no billing time while hackers try to get thru.
In one of my articles on my website, I show how to generate the Identity Token in Go (link). In this article using CURL (link) which is a three-part series. There are numerous articles on the Internet that explain this also. In another article, I explain how Cloud Run Identity works (link) and how Cloud Run Identity Based Access Control works (link).
Review the --service-account option which allows you to set the service account to use for identity (link).
Cloud Run Authentication documentation (link).
Upvotes: 2
Related Questions
- Allowing cloud run service with internal traffic ingress to be accessible in other projects
- Google Cloud Api Gateway and Cloud Run in private context
- Connect two cloud run services on GCP
- Private service to service communication for Google Cloud Run
- Google Cloud Run communication between internal services
- Cloud Run inter-service communication
- Access a cloud run from another cloud run
- Can not connect between Cloud Run and Compute engine using Internal IP
- How to call Cloud Run from out side of Cloud Run/GCP?
- Google Cloud Run: Calling from outside GCP