Access a cloud run from another cloud run

Question

I am developing an application where i have hosted the frontend in cloud run: public access, no authentication

Another cloud run service has the backend. This requires authentication and is not open to public.

Ofcourse, if I disable authentication on backend service, everything works smoothly.

Is it possible to access the backend with authentication enabled from the frontend cloud run service?

Both the services are in the same serverless VPC.

Answer 1

To connect two Cloud Run applications privately, you need to obtain an identity token, and add it to the Authorization header of the outbound request of the target service. You can find documentation and examples here.

For Cloud Run service A (running with service account SA1) to be able to connect to private Cloud Run service B, you need to:

1. Update IAM permissions of service B to give SA1 Cloud Run Invoker role (roles/run.invoker).

2. Obtain an identity token (JWT) from metadata service:

curl -H "metadata-flavor: Google" \
      http://metadata/instance/service-accounts/default/identity?audience=URL

where URL is the URL of service B (i.e. https://*.run.app).

3. Add header Authentication: Bearer where is the response obtained in the previous command.

Answer 2

As captured in the official doc, frontend can securely and privately invoke backend by leveraging the Invoker IAM role:

• Grant the service account of frontend the Cloud Run Invoker IAM role.
• When you issue request from frontend to backend, you must attach an identity token to the request, see here for code examples