Reputation: 4752
How can my cloud run service call other cloud run services?
I have a service listening on 'https://myapp.a.run.app/dosomething', but I want to leverage the scalability features of Cloud Run, so in the controller for 'dosomething', I send off 10 requests to 'https://myapp.a.run.app/smalltask'; with my app configured to allow servicing of only one request per instance, I expect 10 instances to spin up, all do their smalltask, and return (all within the timeout period).
But I don't know how to properly authenticate the request, so those 10 requests all result in 403's. For Cloud Run services, I manually pass in a bearer token with the initial request, though I expect to add some api proxy at some point. But without said API proxy, what's the right way to send the request such that it is accepted? The app is running as a user that does have permissions to access the endpoint.
Upvotes: 14
Views: 14156
Answers (1)
Reputation: 207830
Authenticating service-to-service
If your architecture is using multiple services, these services will likely need to communicate with each other.
You can use synchronous or asynchronous service-to-service communication:
For asynchronous communication, use
- Cloud Tasks for one to one asynchronous communication
- Pub/Sub for one to many asynchronous communication
- Cloud Scheduler for regularly scheduled asynchronous communication.
- Cloud Workflows for orchestration services.
For synchronous communication
One service invokes another one over HTTP using its endpoint URL. In this use case, it's a good idea to ensure that each service is only able to make requests to specific services. For instance, if you have a login service, it should be able to access the user-profiles service, but it probably shouldn't be able to access the search service.
First, you'll need to configure the receiving service to accept requests from the calling service:
- Grant the Cloud Run Invoker (
roles/run.invoker) role to the calling service identity on the receiving service. By default, this identity is[email protected].
In the calling service, you'll need to:
Create a Google-signed OAuth ID token with the audience (
aud) set to the URL of the receiving service. This value must contain the schema prefix (http://orhttps://) and custom domains are currently not supported for theaudvalue.Include the ID token in an
Authorization: Bearer ID_TOKENheader. You can get this token from the metadata server, while the container is running on Cloud Run (fully managed). If the application is running outside Google Cloud, you can generate an ID token from a service account key file.
For a full guide and examples in Node/Python/Go/Java and others see: Authenticating service-to-service
Upvotes: 19
Related Questions
- Provide a single endpoint to multiple CloudRun service endpoints
- Connect two cloud run services on GCP
- Google Cloud Platform Cloud Run: Get Services Using the REST API
- Mirror requests from cloudrun service to other cloudrun service
- Cloud run service invoke
- Google Cloud Run communication between internal services
- Cloud Run inter-service communication
- Access a cloud run from another cloud run
- How to call Cloud Run from out side of Cloud Run/GCP?
- I can't configure Google Cloud Endpoints with Google Cloud Run