Reputation: 11
How to set IAP (Identity Aware Proxy) authentication for back-end API service running on a GKE cluster
I have an application that has react in the front-end and a node service in the back-end. The app is deployed in the GKE cluster. Both the apps are exposed as a NodePort Service, and the fan out ingress path is done as follows :
- host: example.com
http:
paths:
- backend:
serviceName: frontend-service
servicePort: 3000
path: /*
- backend:
serviceName: backend-service
servicePort: 5000
path: /api/*
I have enabled authentication using IAP for both services. When enabling IAP for both the kubernetes services, new Client Id and Client Secret is created individually. But I need to provide authentication for the back-end API from the front-end, since they have 2 different accounts, its not possible, i.e when I call the back-end API service from the front-end the authentication fails because the cookies provided from the FE does not match in the back-end service.
What is the best way to handle this scenario. Is there a way to use the same client credentials for both these services and if so, Is that the right way to do it or Is there a way to authenticate the Rest API using IAP directly.
Upvotes: 1
Views: 620
Answers (1)
Reputation: 323
If IAP is setup using BackendConfig, then you can have two separate BackendConfig objects for frontend and backend applications but both of them use the same secrete (secretName) for oauthclientCredentials.
For frontend app
apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
name: frontend-iap-config
namespace: namespace-1
spec:
iap:
enabled: true
oauthclientCredentials:
secretName: common-iap-oauth-credentials
For backend app
apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
name: backend-iap-config
namespace: namespace-1
spec:
iap:
enabled: true
oauthclientCredentials:
secretName: common-iap-oauth-credentials
Then refer these BackendConfigs from respective kubernetes service objects
Upvotes: 1
Related Questions
- Set up IAP for GKE and allow other service to connect without IAP
- Authentication to Kubernetes API of GKE cluster within Google Cloud Function
- How to Authenticate GKE Cluster on Kubernetes API Server using its Java client library
- GKE: secured access to services from outside the cluster
- GKE Ingress Basic Authentication (ingress.kubernetes.io/auth-type)
- How to authenticate to multiple GKE Kubernetes clusters using dynamic and unique google credentials
- Google Identity Aware Proxy for Two Different Backend Service using same domain
- Google Kubernetes Engine (GKE) Ingress w/auth-url
- Login to GKE via service account with token
- enable kubernetes authentication api on gke