Google Cloud Run身份验证服务到服务 [英] Google Cloud Run Authentication Service-to-Service
问题描述
我在GCP Cloud Run上部署了两个服务(API).分别称为service-one.myDomain.com
和service-two.myDomain.com
.我希望可以在调用服务2时对服务1进行身份验证,而与任何用户正在执行的操作无关.
I have two services (APIs) deployed on GCP Cloud Run. Call them service-one.myDomain.com
and service-two.myDomain.com
. I would like service-one to be authenticated in calling service-two independently of what any user is doing.
我已阅读并实施了GCP Cloud Run文档中有关认证服务到服务(
I've read and implemented the instructions from GCP Cloud Run docs on Authenticating service-to-service (https://cloud.google.com/run/docs/authenticating/service-to-service) but service-one.myDomain.com
is unsuccessful in calling service-two.myDomain.com
receiving a 401:Unauthorized response.
关于如何获取service-one
成功调用service-two
的任何想法?
Any thoughts on how to get service-one
to successfully call service-two
?
在google IAM上,我创建了两个服务帐户,并授予了他们两个"Cloud Run Invoker"(roles/run.invoker
)角色:
service-one@myproject.iam.gserviceaccount.com
service-two@myproject.iam.gserviceaccount.com
On google IAM, I created two service accounts and granted them both the "Cloud Run Invoker" (roles/run.invoker
) role:
service-one@myproject.iam.gserviceaccount.com
service-two@myproject.iam.gserviceaccount.com
在Cloud Run内部,我将服务帐户从默认计算服务帐户"更改为我创建的服务帐户.我将service-one@myproject.iam.gserviceaccount.com
分配给service-one.myDomain.com
,将service-two@myproject.iam.gserviceaccount.com
分配给service-two.myDomain.com
Inside Cloud Run I changed the service account from the "Default compute service account" to the service accounts I created. I assigned service-one@myproject.iam.gserviceaccount.com
for service-one.myDomain.com
and service-two@myproject.iam.gserviceaccount.com
for service-two.myDomain.com
在service-one.myDomain.com
中,我调用元数据服务器以从以下URL获得令牌(jwt):
http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://service-two.myDomain.com
,请求标头设置为{'Metadata-Flavor': 'Google'}
,请求成功,并且我收到的令牌被解码为具有以下有效负载:
In service-one.myDomain.com
I make a call to the metadata server to get a token (jwt) from the following url:
http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://service-two.myDomain.com
with a request header set as {'Metadata-Flavor': 'Google'}
The request is successful and the token I receive is decoded to have the following payload:
{
"alg": "RS256",
"kid": "9cef5340642b157fa8a4f0d874fe7543872d82db",
"typ": "JWT"
}
{
"aud": "https://service-two.mydomain.com",
"azp": "100959068407876085761",
"email": "service-one@myproject.iam.gserviceaccount.com",
"email_verified": true,
"exp": 1572806540,
"iat": 1572802940,
"iss": "https://accounts.google.com",
"sub": "100953168404568085761"
}
Http请求:
使用令牌,我从service-one.myDomain.com
向service-two.myDomain.com
上的http端点发出请求.我用{'Authorization': 'Bearer {token}'}
设置了请求标头({token}
是令牌的值).
Http request:
Using the token I make a request from service-one.myDomain.com
to an http endpoint on service-two.myDomain.com
. I set the request header with {'Authorization': 'Bearer {token}'}
({token}
is value of token).
响应为401未经授权,我的日志显示响应标头包括:
The response is a 401 Unauthorized and my logs show the response headers to include:
{'WWW-Authenticate': 'Bearer error="invalid_token" error_description="The access token could not be verified"'}
内容为:
"
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>401 Unauthorized</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Unauthorized</h1>
<h2>Your client does not have permission to the requested URL <code>/health</code>.</h2>
<h2></h2>
</body></html>
"
我很困惑...关于让service-one
验证到service-two
所缺少的任何想法?
I'm stumped.... any ideas on what I'm missing to get service-one
to authenticate to service-two
?
推荐答案
答案是使用gcp云运行生成的Url作为OIDC令牌请求中的受众.并与jwt中的"aud"字段相关.
The answer was to use the gcp cloud run generated Url as the audience in the OIDC token request. And relatedly the "aud" field in the jwt.
我的发现是云运行中的服务到服务身份验证不支持自定义域(myDomain.com).我正在使用我的自定义域.
My discovery was that Service-to-Service authentication in cloud run does not support custom domains (myDomain.com). I was using my custom domain.
(我感觉很傻)谢谢@guillaumeblaquiere
(I feel like a bonehead) thanks @guillaumeblaquiere
这篇关于Google Cloud Run身份验证服务到服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!