How to restrict requests of python3 standard environment app engine urls to a single service account?

Question

I have a python37 standard env app engine url accessible at /healthcheck. I already have a service account key generated and saved as json.
With all the expected fields:

  "project_id": "",
  "private_key_id": "",
  "private_key": "",
  "client_email": "project@appspot.gserviceaccount.com",
  "client_id": "",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": ""

I want to call urls in two different ways:

1. Request my URLs manually and somehow use the service account fields as headers in the request for authentication.
2. Schedule cron jobs to run call the same URL.

All the docs I find on Google Cloud only discuss authentication downstream from the app engine url request. Is there a standard way to restrict app engine url requests to just one service account?

Answer 1

Instead of using any services provided by Google Cloud for security. I simply created a param with a made up api key and forced all connections to be https.

In main.py I used the flask feature @app.before_request to check for cron execution or the variable.

@app.before_request
def do_something_whenever_a_request_comes_in():
    if 'X-Appengine-Cron' in request.headers:
        if not request.headers['X-Appengine-Cron']:
            return 'Not Authorized', 401
    elif 'apikey' in request.args:
        print (request.args['apikey'])
        if (request.args['apikey'] != config.apikey):
        return 'Not Authorized', 401
    else:
       return 'Not Authorized', 401
    print('Passed authorization')