Reputation: 7012
What are the steps to take when the first Cloud Run service A wants to call API-methods of a second one B with authentication requirement?
I have two Google Cloud Run services A and B running and tested.
The first one is public (i.e. allows unauthenticated invocations) - ...until I find out how to give access to only one app (on web and mobile) - but this is a different topic ;)
The second one is set to "Require authentication".
My question is: How can Cloud Run service A call Cloud Run service B ?
Here my steps so far:
I created
Service Account Afor the Cloud Run service A inside IAM, giving "Cloud Run Invoker" permission (roles/run.invoker)I created
Service Account Bfor the Cloud Run service B inside IAM, also giving it "Cloud Run Invoker permission (roles/run.invoker).I added
Cloud Run Service Agentpermission inside IAM to Cloud Run B (with the Service Account A email as principal)
--> now I was hoping that I can somehow give Cloud Run service A an Auth-header (for example OIDC token as Cloud Scheduler can set it). But I can't find anywhere on the Edit & Deploy New Revision console an appropriate place to set this Auth-header.
The only place I found was a seperate TAB called SECURITY that actually allows to set a Service Accout.
BUT UNFORTUNATELY IT ONLY ALLOWS TO SET ONE SERVICE ACCOUNT.
(and the one is already taken by my need for firestore in my project).
Is there another way to add more Service Account to this Cloud Run A ? If yes, how ? Or is it all necessary ?
What do I have to do exactly (step-by-step explanation) to be able to call Cloud-Run-service-B-API-methods from Cloud Run service A (knowing that B requires IAM-Authentication) ???
Upvotes: 0
Views: 444
Answers (1)
Reputation: 3009
As it is mentioned by @John Hanley,
There is no cloud setting to automatically add authorization to HTTP requests. You must create (fetch) the OIDC identity token yourself via code and add the Authorization header to the HTTP requests. The SDKs have features to make this easier.
The OIDC identification token must be created by you using code, and all HTTP requests must include the Authorization header.
You can try this document for different methods to get OIDC Token. And for using the client SDK’s, you can check this documentation.
And to answer your question,
how long will the idToken be valid (it's nowhere written in the doc) ?
As mentioned in the document
By default, access tokens and ID tokens are valid for 1 hour. A refresh token is a special token that is used to obtain additional access tokens or ID tokens. When your application first authenticates, it receives an access token or ID token, as well as a refresh token. Later, if the application needs to access resources again, and the previously provided token has expired, it uses the refresh token to request a new token. Refresh tokens are used only for user authentication, such as for Cloud Identity or Google Workspace.
Upvotes: 1
Related Questions
- Access Cloud Run service in browser when authentication is required
- GCP IAM Auth on Cloud Run - service
- Google Cloud Tasks cannot authenticate to Cloud Run
- Cloud Build fails to deploy to Google App Engine - You do not have permission to act as @appspot.gserviceaccount.com
- How to restrict cloud build permission to all other buckets
- How I can get access to GCP cloud function from python code using service account?
- 401 unauthorized error when opening the URL of my Google Cloud Run service
- HTTP cloud scheduler job fails to trigger cloud run even with oidc service account authentication
- Cloud Run + Cloud Endpoints + Service Account Authentication – works in curl but doesn't when using fetch API in JS