AWS IoT rules have an https event that can use sigV4 auth, and GCS api allows uploads using sigV4. I have no clue how to configure the rule event to properly authenticate using that though, is it even possible?
Related
I'm developing a reactJS app that will run in browser. I want to make request from that app to services deployed in Google Cloud Run and Google Cloud Functions, both with authentication enabled, but I don't know how to authenticate requests.
I have a Service Account credentials with permissions to invoke those services but I cannot use default credentials due to reactJS environment variables names and I cannot use the NodeJS Google Cloud SDK.
How can I authenticate request to Cloud Functions/Cloud Run from reactJS apps outside of Google Cloud?
You have to use client side authentication mechanism. Firebase Auth works very well, and you have the Google Cloud version name Google Identity Platform.
EDIT 1
If your user aren't authenticated, you can't use authentication services. You should want to limit the access, the cost, the abuse of your Cloud Functions and Cloud Run services. For that, you need to use an API Gateway, such as Google Cloud API Gateway, or a more entreprise grade with APIGee.
You can also use a HTTPS Load Balancer in front of Cloud Functions or Cloud Run and activate Cloud Armor to prevent attacks on your service (but it's not a rate limit).
I have a scenario where I have an on-premise GUI application which has a "Web Service Invoke" component which I use to call a GAE API.
In the GUI application, it is possible to:
store credentials
create a chain of web services/http(s) calls that can integrate an output of preceding https(s) call as a query parameter or header value into the next http(s) call
retrieve a value from JSON response of the http(s) call
But it is not possible to programmatically do anything. The Web Service widget has fields for passing API URL, query parameters and headers only.
I'm looking to do a service-to-service authentication for the API call and the API should be protected using IAP as well.
I'm aware of the recommended approach is to create a service account and provide the service account JSON key file to the client and the client signs a JWT token and pass it as a bearer token. But as I only have widgets, no programming possible, therefore signing JWT token is not an option.
I was looking at Google OAuth or IAM APIs which can support "client_credentials" grant type wherein I can get an access token using just clientId and clientSecret - something possible in Apigee. But it seems this grant type is not supported by Google OAuth APIs.
I also looked at Cloud Endpoints using API KEY - so the current thought is to the client passes API KEY in header/parameter for authentication to Cloud Endpoints, then Cloud Endpoints uses its service account to get access through IAP, and finally, I'm thinking that the client can also send in "Basic Auth" credentials through Authorization header which the GAE API backend service validates. The additional "Basic Auth" is because Google recommends using another auth method in addition to API KEY.
I would like a simpler solution if possible using GAE and IAP only. Any other suggestions, especially using time-limited tokens, that can work over only http(s) calls (non-programmatic or client library), is much appreciated.
Any alternatives or things to try is also appreciated.
Look into this server-to-server authentication using JWT Google API Authentication
I created a custom tensorflow model and deployed to google cloud AI platform. To access the online prediction at (https://ml.googleapis.com/v1/projects/my-project/models/my-model/versions/my-version:predict),
I can use default auth token got with the following command:
access_token=$(gcloud auth application-default print-access-token)
or, according to: https://cloud.google.com/ml-engine/docs/python-client-library, I can create a service account key, download it, and use it to in an outh2 authentication protocol.
The problem arises when I want to access the online prediction from another API that I am deploying in Google Cloud Platform: in this case the command above doesn't work and I can't access to any file to sign my jwt for authentication. How can I create my jwt without accessing to any file?
You want to send and consume Cloud Pub/Sub messages from your App Engine application. The Cloud Pub/Sub API is currently disabled. You will use a service account to authenticate your application to the API. You want to make sure your application can use Cloud Pub/Sub. What should
you do?
A. Enable the Cloud Pub/Sub API in the API Library on the GCP Console.
B. Rely on the automatic enablement of the Cloud Pub/Sub API when the Service Account accesses it.
C. Use Deployment Manager to deploy your application. Rely on the automatic enablement of all APIs used by the application being deployed.
D. Grant the App Engine Default service account the role of Cloud Pub/Sub Admin. Have your application enable the API on the first connection to Cloud Pub/Sub.
I realized that if I build an app that uses pubsub. it works without manually enabled the pubsub api. But I couldn't find anything in the documentation about that. Which is the correct answer?
You want to send and consume Cloud Pub/Sub messages from your App
Engine application. The Cloud Pub/Sub API is currently disabled. You
will use a service account to authenticate your application to the
API. You want to make sure your application can use Cloud Pub/Sub.
What should you do?
Let's analyze each possible answer to determine the best answer.
A. Enable the Cloud Pub/Sub API in the API Library on the GCP Console.
This is a possible answer. The standard method is to enable services in the Google Cloud Console. You can also enable services with the Cloud SDK CLI gcloud services enable pubsub.googleapis.com
B. Rely on the automatic enablement of the Cloud Pub/Sub API when the
Service Account accesses it.
This is not a possible answer. Google Cloud Services are not automatically enabled when the service account accesses it. First, service accounts do not access APIs. Service accounts are used to obtain an OAuth Access Token (or Identity Token). These tokens are used to authorize APIs. Services are not automatically enabled with an API makes first access.
C. Use Deployment Manager to deploy your application. Rely on the
automatic enablement of all APIs used by the application being
deployed.
This is not a possible answer. Deployment Manager does not automatically enable services. You can use Deployment Manager Resource Types to enable services. You must create a virtual resource for each API that you want enabled.
D. Grant the App Engine Default service account the role of Cloud
Pub/Sub Admin. Have your application enable the API on the first
connection to Cloud Pub/Sub.
This is not a possible answer. Cloud Pub/Sub Admin does not have permissions to enable services. To enable services the service account (or User Account) will need roles/serviceusage.serviceUsageAdmin or another role with the permission serviceusage.services.enable.
Drumroll Please ....
Therefore the best answer is A in my opinion.
I am using Google App Engine with it's default OAuth Service. I can easily access it with the help of Google OAuth Java Client Library - I get the request token, user authorizes and everything work just fine.
My question is - is there a way to access my API without user context? So called application-only method (see Twitter) (in OAuth2 it's called client_credentials?
Because some of my API methods (on my personal Google App Engine application) really don't need any user context - just a consumer key so I can identify and measure my API consumers.