Google Cloud Run身份验证服务到服务 [英] Google Cloud Run Authentication Service-to-Service

问题描述

我在GCP Cloud Run上部署了两个服务(API).分别称为service-one.myDomain.com和service-two.myDomain.com.我希望可以在调用服务2时对服务1进行身份验证，而与任何用户正在执行的操作无关.

I have two services (APIs) deployed on GCP Cloud Run. Call them service-one.myDomain.com and service-two.myDomain.com. I would like service-one to be authenticated in calling service-two independently of what any user is doing.

我已阅读并实施了GCP Cloud Run文档中有关认证服务到服务(

I've read and implemented the instructions from GCP Cloud Run docs on Authenticating service-to-service (https://cloud.google.com/run/docs/authenticating/service-to-service) but service-one.myDomain.com is unsuccessful in calling service-two.myDomain.com receiving a 401:Unauthorized response.

关于如何获取service-one成功调用service-two的任何想法?

Any thoughts on how to get service-one to successfully call service-two?

在google IAM上，我创建了两个服务帐户，并授予了他们两个"Cloud Run Invoker"(roles/run.invoker)角色: service-one@myproject.iam.gserviceaccount.com service-two@myproject.iam.gserviceaccount.com

On google IAM, I created two service accounts and granted them both the "Cloud Run Invoker" (roles/run.invoker) role: service-one@myproject.iam.gserviceaccount.com service-two@myproject.iam.gserviceaccount.com

在Cloud Run内部，我将服务帐户从默认计算服务帐户"更改为我创建的服务帐户.我将service-one@myproject.iam.gserviceaccount.com分配给service-one.myDomain.com，将service-two@myproject.iam.gserviceaccount.com分配给service-two.myDomain.com

Inside Cloud Run I changed the service account from the "Default compute service account" to the service accounts I created. I assigned service-one@myproject.iam.gserviceaccount.com for service-one.myDomain.com and service-two@myproject.iam.gserviceaccount.com for service-two.myDomain.com

在service-one.myDomain.com中，我调用元数据服务器以从以下URL获得令牌(jwt): http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://service-two.myDomain.com，请求标头设置为{'Metadata-Flavor': 'Google'}，请求成功，并且我收到的令牌被解码为具有以下有效负载:

In service-one.myDomain.com I make a call to the metadata server to get a token (jwt) from the following url: http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://service-two.myDomain.com with a request header set as {'Metadata-Flavor': 'Google'} The request is successful and the token I receive is decoded to have the following payload:

{
  "alg": "RS256",
  "kid": "9cef5340642b157fa8a4f0d874fe7543872d82db",
  "typ": "JWT"
}

{
  "aud": "https://service-two.mydomain.com",
  "azp": "100959068407876085761",
  "email": "service-one@myproject.iam.gserviceaccount.com",
  "email_verified": true,
  "exp": 1572806540,
  "iat": 1572802940,
  "iss": "https://accounts.google.com",
  "sub": "100953168404568085761"
}

Http请求:

使用令牌，我从service-one.myDomain.com向service-two.myDomain.com上的http端点发出请求.我用{'Authorization': 'Bearer {token}'}设置了请求标头({token}是令牌的值).

Http request:

Using the token I make a request from service-one.myDomain.com to an http endpoint on service-two.myDomain.com. I set the request header with {'Authorization': 'Bearer {token}'} ({token} is value of token).

响应为401未经授权，我的日志显示响应标头包括:

The response is a 401 Unauthorized and my logs show the response headers to include:

{'WWW-Authenticate': 'Bearer error="invalid_token" error_description="The access token could not be verified"'}

内容为:

"
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>401 Unauthorized</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Unauthorized</h1>
<h2>Your client does not have permission to the requested URL <code>/health</code>.</h2>
<h2></h2>
</body></html>
" 

我很困惑...关于让service-one验证到service-two所缺少的任何想法?

I'm stumped.... any ideas on what I'm missing to get service-one to authenticate to service-two?

推荐答案

答案是使用gcp云运行生成的Url作为OIDC令牌请求中的受众.并与jwt中的"aud"字段相关.

The answer was to use the gcp cloud run generated Url as the audience in the OIDC token request. And relatedly the "aud" field in the jwt.

我的发现是云运行中的服务到服务身份验证不支持自定义域(myDomain.com).我正在使用我的自定义域.

My discovery was that Service-to-Service authentication in cloud run does not support custom domains (myDomain.com). I was using my custom domain.

(我感觉很傻)谢谢@guillaumeblaquiere

(I feel like a bonehead) thanks @guillaumeblaquiere

这篇关于Google Cloud Run身份验证服务到服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！