Reputation: 886
Google Cloud Authentication Service-to-service with JWT token
Updated question:
Is it possible to craft JWT token from application A and verify it in
application B using GCP service accounts? How can I do that in Python?
Both applications are deployed in GCP. Applications can be deployed within GCF, Cloud Run, AppEngine, GKE or even in GCE.
Original question:
I spent some time reading Google Cloud documentation but I don't find a "generic" answer of how to handle authentication between services. (most probably because they are not the same for each GCP product)
So how do I authenticate my services between each other considering that we put aside any of Google's serveless products that ease authentication validation? (e.g. Cloud Run/CF that checks token automatically)
I almost found a solution by signing JWTs but I was unable to verify the token afterwards.
A good solution would be something that looks like:
def serviceA():
"""
serviceA function gets a token and pass it in it's request to the serviceB
"""
token = # How do I retrieved a token that I can use to auth my call? ID Token? Signed JWT?
req.add_header("Authorization", f"Bearer {token}")
response = urllib.request.urlopen(req)
return response.read()
and in another service, let's say serviceB
@app.route('/')
def hello():
"""Return a friendly HTTP greeting."""
if "Authorization" not in request.headers:
return "Forbidden", 403
# Check if the request is authenticated
verify_token(request.headers)
# proceed...
Here's some usefull ressources I have been through before asking this question:
- https://cloud.google.com/docs/authentication
- https://cloud.google.com/run/docs/authenticating/service-to-service#python
- https://cloud.google.com/run/docs/securing/service-identity#identity_tokens
- https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#requesting_short-lived_credentials
- https://cloud.google.com/docs/authentication/best-practices-applications
Upvotes: 2
Views: 912
Answers (1)
Reputation: 1235
The only service fitting your use case that I can think of is BeyondCorp:
BeyondCorp is Google's implementation of the zero trust model
(...)
BeyondCorp allows for single sign-on, access control policies, access proxy, and user- and device-based authentication and authorization.
The BeyondCorp principles are:
-Access to services must not be determined by the network from which you connect
-Access to services is granted based on contextual factors from the user and their device
-Access to services must be authenticated, authorized, and encrypted
Upvotes: 1
Related Questions
- Authentication Server to server GCP interconnect
- GCP API Gateway authentication between services without using service account private key
- JWT Token Google Cloud Run
- GCP Server to Server Authentication with Service Account
- Google Cloud Function :: Service account :: JWT token and Bearer token
- Generate JWT for service account using compute metadata from cloud function
- GCP endpoint integration with identity platform
- How to auth between two services using Google Cloud Service Account
- Google Cloud Endpoints and JWT
- Google service account authorization with JWT in Go