Reputation: 187
How to make specific endpoints private or atleast restricted in GCP App Engine Flex?
I have a recurring Cron scheduler that invokes a method in a Google Cloud Platform App Engine Flex Service (.net core web API say APP1) which in turn calls another one of our Google Cloud Platform App Engine Flex Services (another .net core web API say APP2) endpoints (eg: /v1/api/test)
My question is how would I go about restricting access to this particular APP2 endpoint to just APP1? Do I have to use Cloud Endpoints to achieve this? Bear in mind that APP2 has other endpoints that are open to public.
Upvotes: 0
Views: 736
Answers (2)
Reputation: 2487
To restrict access from Service app2 to service app1, but not to general public, you have to use Cloud Endpoints. In order to do it, follow the next steps:
1) You've to create an openapi-appengine.yaml file going to Cloud Endpoints. Configure it as following:
swagger: '2.0'
info:
title: Cloud Endpoints
description: Sample API on Cloud Endpoints with a Cloud Run backend
version: 1.0.0
host: endpoint-service.appspot.com ---> you've to put your service URL
x-google-allow: all
schemes:
- https
produces:
- application/json
paths:
/resdticted-endpoint-1: --> Here you've to put all the endpoints you want to restrict
get:
summary: Greet a user
operationId: hello
responses:
'200':
description: A successful response
schema:
type: string
security:
- DEFINITION_NAME: []
/resdticted-endpoint-2:
get:
summary: Greet a user
operationId: hello
responses:
'200':
description: A successful response
schema:
type: string
security:
- DEFINITION_NAME: []
securityDefinitions:
DEFINITION_NAME:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "SA_EMAIL_ADDRESS" --> Here you've to add a Service Account, in case you don't have any, create a new one
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/SA_EMAIL_ADDRESS" --> put your service account name at the end
2) Then, go to App2 service: - Add your service name to the app.yaml file:
endpoints_api_service:
# The following values are to be replaced by information from the output of
# 'gcloud endpoints services deploy openapi-appengine.yaml' command.
name: ENDPOINTS-SERVICE-NAME
rollout_strategy: managed
Replace ENDPOINTS-SERVICE-NAME with the name of your Endpoints service. This is the same name that you configured in the host field of your OpenAPI document. For example:
endpoints_api_service: name: example-project-12345.appspot.com rollout_strategy: managed
3) Finally continue this Official Documentation in order to authenticate between services.
Upvotes: 1
Reputation: 1028
You can use X-Appengine-Inbound-AppId to check the source APP when you call private end-point.
Please refer doc
Upvotes: 0
Related Questions
- Restrict access to some endpoints on Google Cloud
- Can I restrict access to specific Google Cloud IAP backends?
- How to make a service only accessible from another service under the same app engine in google cloud
- Cloud Endpoints: Control who can execute API through API Explorer
- Restrict GAE Endpoint access
- How do I restrict Google App Engine Endpoints API access to only my Android applications?
- how to allow only requests from certain GAE apps to an GCE load balancer?
- allow requests to gae endpoint only from a specific domain
- Restrict Google App Engine Endpoints API access
- Limit access to google app engine endpoint method