About GCP PubSub Push subscriber validating jwt - google-cloud-pubsub

PubSub docs says that "For high volume push requests, it would save some network overhead if you verify the tokens offline by downloading Google's Public Cert and decode them using the google.auth.jwt module".
I'm confused that how and where to downloading Google's Public Cert?

You can find them in this section

Related

Use Cloud Pub/Sub to trigger sending of email

I'm trying to figure out how to use Cloud Pub/Sub to trigger the sending of an email when a file is added to a storage bucket.
Currently using PHP72 in Google App Engine standard environment. First I created a Topic that creates a message when a file is added to the storage bucket. Then I created a Pull subscription which reads the message. I can view the messages in the GCP console, but what I would like to happen is that I want to be notified by email, preferably with a copy of the file added to the email as an attachment. Is this possible? I tried looking for a solution or tutorial but came up empty.
You can implement the send mail login in a cloud function which will be triggered by Pub/Sub (Node.js,Python,Go).
Using Pub/Sub to trigger a Cloud Function
Instead of using a pull subscription, you should probably use a push subscription with App Engine, combined with one of the third party mail services such as Send Grid or MailJet.
The upload of an object to GCS triggers a message to be sent to the topic, and the push subscription delivers that message to App Engine.
Unfortunately, there aren't any full tutorials asking for exactly what you want, but hopefully this helps. Feel free to request a community tutorial for this by filing an issue on the GCP community toturial repo.

Do outgoing emails using JavaMail through Gmail/Sendgrid SMTP count towards Mail API limits in Google App Engine?

I'm running an app on the Google App Engine standard environment. We need to send out a lot of emails and it looks like App Engine now lets us use JavaMail to send emails using SMTP - connecting to smtp.gmail.com or smtp.sendgrid.net.
I was wondering if this counts towards the Mail API limits/quotas in App Engine. I'm guessing it shouldn't, since the email is actually sent by the respective SMTP server and it's only outbound traffic from App Engine. Is this correct?
Note: I'm not a Java user, the answer is based on documentation only.
Indeed, using 3rd party partner mail services is the Google recommendation for sending lots of emails. From Quotas and limits:
Each Mail service request counts toward the Mail API Calls quota.
There are also quotas for the number of messages you can send, the
number of Admin messages you can send, and the amount of data and
attachments you can send. For more details, see Mail quotas.
[...]
If you need to send more mail then the quota allows, you can use a
third-party mail provider, such as SendGrid or Mailgun.
And JavaMail can, indeed, use these 3rd party SMTP servers. From Sending email messages:
To send email messages, use the JavaMail classes included with the App
Engine SDK.
When you create a JavaMail Session, if you do not provide any SMTP
server configuration, App Engine uses the Mail service for sending
messages. Alternatively, add SMTP configuration for supported
third-party mail providers such as Mailgun, Mailjet, or
SendGrid.
This last quote appears (depending on how you interpret it, I guess) to support your assumption that when SMTP servers are specified the Mail service would not be used, thus those calls wouldn't be counted against the Mail API Calls quota.
Also each of the 3rd-party mail integration documentation page referenced in these quotes doesn't (or at least doesn't directly) use JavaMail, instead they require specific libraries/modules. Which might have some relationship with bypassing the GAE Mail Api quota limits. For example, from Sending Email with SendGrid:
Sending an email
It's easy to get started with the Java library for SendGrid to
send emails from your App Engine apps.
With the prerequisites complete, make sure you are set up for
Java on your local machine. The last thing you'll need before
writing code is to copy Sendgrid.java to the src directory of
your app. You'll import this class so that you can create a SendGrid
instance and send mail with simple commands.
So, to gain certainty, my suggestion is to actually put your assumption to the test: send some emails using JavaMail while specifying your SMTP server info, then check your actual usage in the developer console Quotas page for matching increases. Notes:
give some ample room for propagation delays - the usage counts might not be immediately updated
if you don't see the Mail section in the Usage table check also, towards the bottom of the page, a Show resources not in use button/link (but, if it's in there, it means the usage is zero).
You could also directly follow the recommended specific instructions for your 3rd party provider of choice and practically avoid the question altogether :)

Gcp PubSub not pushing message to REST Endpoint

I am facing an problem, Gcp PubSub not pushing message to my registered endpoint. Let me narrate in details the steps I have executed.
Note,
I am not using app engine
I am deploying my simple spring boot app on PCF (Pivotal Cloud Foundry...PaaS) hosted on GCP (IaaS)
Steps:
1st I have created an service account with required permission to access GCP PubSub
Next am using this service account to create/subscribe/register my endpoint to the topic
Next, as expected I have registered & verified my domain ownership & added my push endpoint path say https://example.com with GCP
Deployed my app in Pcf
Test Executed:
I am able to successfully create & subscribe the topic
Successfully registered my push end point like https://example.com/myPushEp with the newly created topic
Successfully able to post message to the topic.
As my push ep is registered with gcp pubsub topic so asa the message is posted it must be pushed into registered endpoint, but unfortunately it not pushing any message to the registered endpoint. I am completely clueless what is the mistake.
Can any one guide me where I am doing the mistakes. Its an simple spring boot rest application, do I am making any mistake in coding or any configuration.
I recommend you looking in Cloud Monitoring, you can use the push metrics, which start with the name "Push Request", to figure out if your messages are being pushed to your endpoint and if your endpoint is returning errors to Pub/Sub.
I faced the same problem and the funny turnout was that it was my server's fail2ban who banned google ip addresses.
One reason might be that the SSL Certificate of your push endpoint might be expired. It took me half a day to figure it out. Pubsub requires a working SSL certificate.
You can look up the type of errors in Google's stack monitoring. If it is a pubsub_interal_push error then most likely it is a certificate issue.
Usually, Google doesn't accept URLs without HTTPS but in my case - I had an HTTP URL. The certificate had an issue.

AppEngine Multi backends keeping autoscaling

I have an AppEngine webapp with a JavaScript tracker. I want it to make HTTP calls to a collector (which is a REST API that saves data into BigQuery) without making an entire app-to-app authentication process with OAuth/JWT or whatever.
According to this thread it's not possible for AppEngine to use a REST API located on a compute engine instance with an internal IP.
In addition, it seems that it's not possible to use GAE multibackends feature since it loses autoscaling and I really need this feature.
What is the proper Google Cloud way to achieve this ?
I presume that the collector is running on compute engine and the problem is how to verify that requests to the collector are genuine requests from the AppEngine service since the only way for the AppEngine app to reach the collector is via a public IP.
AppEngine has an Identity API for an AppEngine to assert to a third party service that a request is genuine. A more detailed (and less contrived) example of how to use this is discussed here. The code link no longer works but the code is available here.
This specific sequence from the last article seems to be more or less what you need:
Client App generates a signed blob by calling app_identity.signForApp(string_blob)
Client App exposes its public certificates on a public endpoint, for example clientapp.com/certs. In the demos below we use a trivial Json format to expose certificates, something like: {"cert1":"x509 cert pem", "cert2":"x509 cert pem 2"...}.
Client App sends a request to API App along with the signed blob and the URL that contains Client App's public certificates.
API App fetches Client App's public certificates from that URL
API App verifies the signature of the signed blob. The API App might perform other business logic like checking if the Client App (as identified by the URL of its public certificates) is on an access control list.
Both apps should agree on the same 'signed blob' format. In our demo we use JWT as the signed token format. The detailed spec can be found at http://self-issued.info/

SSL on Google App Engine trusted for Certificate

I have created a self signed certificate and of course my website works with https but not trusted.
What do i have to do to create a certificate for Google App Engine?
You need to buy a certificate from a trusted certificate provider. You might want to have a read of this: http://en.wikipedia.org/wiki/Certificate_authority#Providers
Or search for something like "Certificate Providers" on your favorite search engine.
i made it but how: 1st of all you need a trusted certificate.
You will get the warning in the browser ... and if you organized a
cheap certificate you will end up in buying a more expensive as you
will find out that on e.g. android device it is not trusted. And
Google will help with a bot warning: Googlebot noticed your site,
https://www.abc.com/, uses an SSL certificate which may be considered
invalid by web browsers ... To correct this problem, please get a new
SSL certificate from a Certificate Authority (CA) that is trusted by
web browsers.
I tried one for 19€ and i am ending with the untrusted message on android and the Googlebot message as above. It would be great to implement a certificate procedure that leads to a realy trusted and not too expensive certificate in Google Apps SSL Tab.
SSL on your domain will not work for pre-Honeycomb android if you use SNI:
https://developers.google.com/appengine/docs/ssl
Disclaimer: I own this site
I found setting up SSL for App Engine more difficult than it should be so I made a service specifically designed for App Engine to make it better: https://www.volcanicpixels.com/ssl/
Installing SSL on App Engine was super difficult to figure out.
For me it was difficult because google asked me for two pieces of information and I had no idea how to reconcile that with what my SSL provider had given me.
The key information for me was that:
The PEM encoded X.509 certificate is what your certificate issuer probably sent you in an e-mail (mine just sent the text to me, didn't even have a file extension, I think this is normally the .csr file, but I'm not sure)
The Unencrypted PEM encoded RSA private key is your .key file after you run this command on it: `openssl rsa -in domain.key -out domain.pem

Resources