I need to allow Cloud Scheduler to call a REST endpoint in an App Engine app in the same project. I have set the scheduler target to "App Engine HTTP" and put the correct service and path to the API. When I test access to it, I am receiving a 401 Unauthorized. This occurs due to the presence of the OpenAPI cloud endpoints service on the API. I have service accounts listed in my OpenAPI yaml that are permitted to access the API, but I am not sure how to allow the Cloud Scheduler through. I have not found any documentation so far that provides this information.
Related
I'm developing a reactJS app that will run in browser. I want to make request from that app to services deployed in Google Cloud Run and Google Cloud Functions, both with authentication enabled, but I don't know how to authenticate requests.
I have a Service Account credentials with permissions to invoke those services but I cannot use default credentials due to reactJS environment variables names and I cannot use the NodeJS Google Cloud SDK.
How can I authenticate request to Cloud Functions/Cloud Run from reactJS apps outside of Google Cloud?
You have to use client side authentication mechanism. Firebase Auth works very well, and you have the Google Cloud version name Google Identity Platform.
EDIT 1
If your user aren't authenticated, you can't use authentication services. You should want to limit the access, the cost, the abuse of your Cloud Functions and Cloud Run services. For that, you need to use an API Gateway, such as Google Cloud API Gateway, or a more entreprise grade with APIGee.
You can also use a HTTPS Load Balancer in front of Cloud Functions or Cloud Run and activate Cloud Armor to prevent attacks on your service (but it's not a rate limit).
You want to send and consume Cloud Pub/Sub messages from your App Engine application. The Cloud Pub/Sub API is currently disabled. You will use a service account to authenticate your application to the API. You want to make sure your application can use Cloud Pub/Sub. What should
you do?
A. Enable the Cloud Pub/Sub API in the API Library on the GCP Console.
B. Rely on the automatic enablement of the Cloud Pub/Sub API when the Service Account accesses it.
C. Use Deployment Manager to deploy your application. Rely on the automatic enablement of all APIs used by the application being deployed.
D. Grant the App Engine Default service account the role of Cloud Pub/Sub Admin. Have your application enable the API on the first connection to Cloud Pub/Sub.
I realized that if I build an app that uses pubsub. it works without manually enabled the pubsub api. But I couldn't find anything in the documentation about that. Which is the correct answer?
You want to send and consume Cloud Pub/Sub messages from your App
Engine application. The Cloud Pub/Sub API is currently disabled. You
will use a service account to authenticate your application to the
API. You want to make sure your application can use Cloud Pub/Sub.
What should you do?
Let's analyze each possible answer to determine the best answer.
A. Enable the Cloud Pub/Sub API in the API Library on the GCP Console.
This is a possible answer. The standard method is to enable services in the Google Cloud Console. You can also enable services with the Cloud SDK CLI gcloud services enable pubsub.googleapis.com
B. Rely on the automatic enablement of the Cloud Pub/Sub API when the
Service Account accesses it.
This is not a possible answer. Google Cloud Services are not automatically enabled when the service account accesses it. First, service accounts do not access APIs. Service accounts are used to obtain an OAuth Access Token (or Identity Token). These tokens are used to authorize APIs. Services are not automatically enabled with an API makes first access.
C. Use Deployment Manager to deploy your application. Rely on the
automatic enablement of all APIs used by the application being
deployed.
This is not a possible answer. Deployment Manager does not automatically enable services. You can use Deployment Manager Resource Types to enable services. You must create a virtual resource for each API that you want enabled.
D. Grant the App Engine Default service account the role of Cloud
Pub/Sub Admin. Have your application enable the API on the first
connection to Cloud Pub/Sub.
This is not a possible answer. Cloud Pub/Sub Admin does not have permissions to enable services. To enable services the service account (or User Account) will need roles/serviceusage.serviceUsageAdmin or another role with the permission serviceusage.services.enable.
Drumroll Please ....
Therefore the best answer is A in my opinion.
For a project that I'm currently developing, I need to expose a servlet (hosted on Google App Engine) to a Java executable which is hosted on Google Compute Engine (in the same project). Such servlet performs some maintenance tasks, so it should never be triggered by non-authorized users. So, the goal is to authorize the requests coming from the Google Compute Engine instance that is running the JAR executable.
In the past I've solved the same issue by having the servlet exposed on HTTPS and rely on a "shared secret", known both to AppEngine application and to the JAR running on the Compute Engine instance. In that way, the instance calls the specific servlet (which is public), then the servlet verifies if the secret is correct, and if so, the request is allowed.
I don't like this approach. For sure we can do something better using challenge-response authentication or by using some other authentication procedure (probably via asymmetric crypto signing). However, this is not what I want to do.
My preferred way of acheiving the same result would be by using the Compute Engine Default Service Account. I am pretty sure there is a way of creating a HTTP POST request on the compute engine and authenticate that via the default service account key. Then, on the servlet, I would rely on the UserService to check whether the request is coming from the ComputeEngine default service account, and if so, I would accept that.
However, I have not seen any documentation or code example that explains how to do that. I suspect there might be possible to perform an authenticated HTTPRequest using the default Compute Engine Service Sccount (maybe adding the Bearer JWT token as Authorization header?).
Has anyone tried something like that?
You have several options; OAuth is likely your best bet.
I have a rest API hosted in Google App Engine. (API lives in a Docker container in the Flexible environment).
I need to support only internal API calls (from another service in the same App Engine Project) and for developer testing be able to call it directly (I don't want user authentication, but I should be able to access it still using the application_default_credentials...I'm just unsure how)
Can you direct me to documentation or examples of how to set this up?
The Google documentation is very lacking.
You have several options, including the following:
The App Engine documentation states that the recommended approach is OAuth for microservices that require authentication.
A second option is to use Cloud Endpoints with service account authentication.
Third, you can use Identity-Aware Proxy to secure the server. Clients can get an identity token from the metadata server.
I want to implement some form of access control for a REST API implemented in App engine. Is it possible to get the list of GAE Applications that a user has permissions to administer or view in the app engine console. Or whether the user has permissions to administer/view the current application.
Note: the Users API does not work for me because this is a rest server called by another google app not a web service called by a user from the browser. OAuth API seems promising but I was unable to find an OAuth scope or rest endpoint for getting GAE related information.
there is no API that can provide a "list of GAE Applications that a user has permissions to administer." Google Cloud Endpoints on App Engine (Trusted Tester program) may be useful for hosting custom RESTful APIs with user authorization may be useful, read more here: http://endpoints-trusted-tester.appspot.com/
There must be an API as the Google Eclipse plugin is using it.
https://developers.google.com/eclipse/docs/signin?hl=de
But it is not documented.