I'm trying to find a way to secure my google cloud app engine standard environment endpoint subscribed to a push pub/sub topic triggered by the creation of a file on google cloud storage.
Since it's only possible to set IP address to the firewall rules of app engine and pub/sub doesn't have a predefined set of IP address it's not possible to use this feature. It's also not possible to use a custom header on pub/sub call and check its validity on the app engine since I have no control over the pub/sub request.
Any suggestion on how to secure the app engine endpoint?
Thanks
Cloud Pub/Sub push does not play well with IP based firewall rules. Making your push notification security based on IP addresses is not the most efficient way.
OAuth and Service Accounts can useful to authenticate access to Google products, such as Cloud Pub/Sub. This will prevent outsiders from accessing your Pub/Sub API for as long as they are not included under a specific service account.
Additionally, in order for your push notifications to be secured, I would follow either of these two solutions:
To confirm that the push notification originates from Cloud Pub/Sub. You could configure endpoints which only accept messages that contain a secret token.
Set up your own push proxy. A simple stateless service might pull messages from Pub/Sub and push them from a fixed IP address to your webhook. Pub/Sub offers value in this setup by providing scaling and availability.
Additionally, I'm not sure if you already implemented exactly this and did not work, but this link from another Stackoverflow issue may be helpful
Related
You want to send and consume Cloud Pub/Sub messages from your App Engine application. The Cloud Pub/Sub API is currently disabled. You will use a service account to authenticate your application to the API. You want to make sure your application can use Cloud Pub/Sub. What should
you do?
A. Enable the Cloud Pub/Sub API in the API Library on the GCP Console.
B. Rely on the automatic enablement of the Cloud Pub/Sub API when the Service Account accesses it.
C. Use Deployment Manager to deploy your application. Rely on the automatic enablement of all APIs used by the application being deployed.
D. Grant the App Engine Default service account the role of Cloud Pub/Sub Admin. Have your application enable the API on the first connection to Cloud Pub/Sub.
I realized that if I build an app that uses pubsub. it works without manually enabled the pubsub api. But I couldn't find anything in the documentation about that. Which is the correct answer?
You want to send and consume Cloud Pub/Sub messages from your App
Engine application. The Cloud Pub/Sub API is currently disabled. You
will use a service account to authenticate your application to the
API. You want to make sure your application can use Cloud Pub/Sub.
What should you do?
Let's analyze each possible answer to determine the best answer.
A. Enable the Cloud Pub/Sub API in the API Library on the GCP Console.
This is a possible answer. The standard method is to enable services in the Google Cloud Console. You can also enable services with the Cloud SDK CLI gcloud services enable pubsub.googleapis.com
B. Rely on the automatic enablement of the Cloud Pub/Sub API when the
Service Account accesses it.
This is not a possible answer. Google Cloud Services are not automatically enabled when the service account accesses it. First, service accounts do not access APIs. Service accounts are used to obtain an OAuth Access Token (or Identity Token). These tokens are used to authorize APIs. Services are not automatically enabled with an API makes first access.
C. Use Deployment Manager to deploy your application. Rely on the
automatic enablement of all APIs used by the application being
deployed.
This is not a possible answer. Deployment Manager does not automatically enable services. You can use Deployment Manager Resource Types to enable services. You must create a virtual resource for each API that you want enabled.
D. Grant the App Engine Default service account the role of Cloud
Pub/Sub Admin. Have your application enable the API on the first
connection to Cloud Pub/Sub.
This is not a possible answer. Cloud Pub/Sub Admin does not have permissions to enable services. To enable services the service account (or User Account) will need roles/serviceusage.serviceUsageAdmin or another role with the permission serviceusage.services.enable.
Drumroll Please ....
Therefore the best answer is A in my opinion.
I'm looking for a way to create push subscription to a pub/sub topic fully from code. I managed to verify domain with domain verification api, but I cannot find an api to register domain with a project. The only way described here https://cloud.google.com/pubsub/advanced#register is with an interactive use of a console.
You can create a push subscriber from code using the create subscription API (or GRPC version). When the PushConfig parameter is provided, where you specify the push endpoint, the subscription is set up as a push subscription.
I'm implementing an appengine cloud endpoint that only a Jenkins instance that I own should have access to. Based on the documentation I've read, server-to-server interactions should use service accounts, but I could only find how to set this up for Google APIs.
From what I understand, google cloud endpoints, even with CLIENT_IDs set, still need a user.
What is the correct approach to accomplish this?
Thanks!
We currently have an App Engine application plus some Google Compute Engine backends. Unfortunately App Engine is not considered "in-network" so in order for App Engine to make requests to backend servers, the relevant ports must be made publicly available in the firewall which is obviously a security risk. It would be very convenient if our App Engine app could automatically "sign" all request to our backends by using a service account client to issue the requests. Is this possible?
And likewise, I'd love to also do this in the other direction, where requests from our GCE servers could be authenticated by App Engine as long as the requests are issued from a GCE service account. I naively tried the latter by issuing a request from GCE to a test handler on app engine that checks the current user (via the Users service) but unsurprisingly the user was null (since "users" and "service accounts" aren't exactly the same I didn't expect this to work - but hey worth a shot).
There's a fair amount of info on the web for issuing service-account-authenticated requests (e.g. to google APIs) but I can't find anything on authenticating incoming requests. Does such a thing exist? (ideally in Go)
There is a new feature coming out soon called Managed VMs. You can click on the following link for more details and signup for updates https://developers.google.com/cloud/managed-vms.
I am the admin of a Google domain and I need to he able to read users emails in my php app. How is this possible? I have tried to use IMAP but it won't even connect. Is there something special that apps have to do?
Here is a list of all the ways to read a user's Gmail mailbox, outside of App Engine :
IMAP, as you said. Provided it is enabled on your domain. Most of our customers disable it for security reasons (no audit trace of the connections).
Apps Script, but it requires the user's consent, even if you're an admin
The Email Audit API, but an Email extraction takes approximately 2 weeks (no kidding)
If IMAP is enabled on your domain, then it's the best choice. However, by default GAE does not allow outgoing connections apart from HTTP requests. The workaround for this limitation is the Sockets API, currently in preview. You can check it out here.
Note that you will also need to use an OAuth2 service account (domain-wide delegation) and IMAP-XOAuth2 to authenticate with the IMAP protocol.