Reputation: 15
How to authenticate gRPC deployed on Cloud Run using Python
I want to deploy a micro service on cloud run, using gRPC to communicate with it. I have set up the service and gotten it to work using insecure channels but I am a bit confused by the documentation when it comes to authentication.
I am not experienced with security and authentication, so I would greatly appreciate if someone could outline the steps needed to set up a secure gRPC channel served on cloud run. Will be running this in python.
Some concrete questions that have popped up
- Is authentication done with only oidc (as I understand it from the docs), or do you need both oidc and ssl (is this what they refer to as call and channel credentials?)?
- Do I make the server secure or insecure? Seems like some threads make the server insecure and then I guess the authentication would be done between client and google?
- How to you handle ssl certificates on cloud run? Do you need to generate them yourself and if so, do you store them in the docker image?
Thanks in advance
Upvotes: 0
Views: 1227
Answers (3)
Reputation: 3807
See https://hikingandcoding.wordpress.com/2022/01/19/securing-google-remote-procedure-calls-grpc-using-asynchronous-python/ for a tutorial on how to authenticate gRPC services in Python
Upvotes: 0
Reputation: 40326
Cloud Run injects a proxy as a sidecar to your deployed container.
The service will always be secured with TLS.
TLS-based auth can be used to authenticate the client and the server to each other but does not authenticate the user of the client for that you will need to use an additional mechanism.
If you permit unauthenticated, anything can invoke your service. If you require authenticated, the service will expect an authorization token (an identity token) to authenticate.
You can use Google identities to authenticate but these will need to be suitably permitted (e.g. invoker) members of the project and you will need to use a JWT (using the Cloud Run service's endpoint as its audience) that the client exchanges for the identity token. This is documented in the link you included: https://cloud.google.com/run/docs/authenticating/service-to-service
Another, more complex but more flexible approach is to use Firebase Auth to support federated authentication (e.g. Google, Microsoft, Facebook accounts) and Cloud Endpoints (another proxy) to authenticate. Using this approach, you will need to implement an authorization service too to determine what role an authenticated user has: https://cloud.google.com/endpoints/docs/grpc/authenticating-users
Upvotes: 0
Reputation: 19971
You run gRPC over HTTP/2 and for HTTP/2 you typically secure it using a TLS certificate (Same as for plain HTTPS).
Authentication is done either through tokens/keys or client certificates or what ever you like. For tokens/keys, you typically provide as an authentication header in HTTP/2. (similar to HTTP/1.1)
For HTTPS to work, you need a valid certificate, typically issued in the cloud using LetsEncrypt.
gRPC is like any other HTTP request (but over HTTP/2)
Upvotes: 0
Related Questions
- Cloud Run - gRPC authentication through service account - Java
- Cloud Run - gRPC authentication through service account - NodeJS
- How to Secure A Cloud Run gRPC Service
- Exception in GRPC when trying to execute Google Cloud API
- InactiveRpcError when trying to connect to Google Cloud Run rpc service
- Connecting two services on Google Cloud Run (gRPC/Python)
- What and how to pass credential using using Python Client Library for gcp compute API
- Cannot hit grpc server after successfully deploying to cloud run
- Google Cloud Run: Calling from outside GCP
- Run a Python gRPC server on Google Cloud Run