Authentication into service from service account¶
Configuration¶
For Cloud Run, based on the managed_by handler to config the resources for Run.
on Staging: using following metadata
| Type | Config | Description |
|---|---|---|
| Authentication | --no-allow-unauthenticated | Required IAM authentication |
| Ingress | all | Ingress access to all |
For the service account, required: roles/run.invoke
For this configuration, using method Google Custom audiences (services)
Verifying custom audiences Get an ID token for a service account which has IAM permission to invoke the service. Note the use of the custom audience AUDIENCE.
declare SERVICE_ACCOUNT_EMAIL=<RUNNER>@$PROJECT_ID.iam.gserviceaccount.com
export TOKEN=$(gcloud auth print-identity-token --impersonate-service-account SERVICE_ACCOUNT_EMAIL --audiences='AUDIENCE')
gcloud auth print-identity-token --impersonate-service-account sa-techies@$PROJECT_ID.iam.gserviceaccount.com --audiences='https://staging-inno-notification-2yrayayjeq-as.a.run.app'
Replace:
SERVICE_ACCOUNT_EMAIL with the email of the service account. It ends with .iam.gserviceaccount.com. AUDIENCE with the custom audience value that you set on the service. Call the endpoint of the service with that ID token
curl -H \ "Authorization: Bearer \((gcloud auth print-identity-token --impersonate-service-account sa-techies@\)PROJECT_ID.iam.gserviceaccount.com --audiences='https://staging-inno-notification-2yrayayjeq-as.a.run.app') " \ https://staging-inno-notification-2yrayayjeq-as.a.run.app
curl -H \ "Authorization: Bearer \((gcloud auth print-identity-token --impersonate-service-account sa-techies@\)PROJECT_ID.iam.gserviceaccount.com) " \ https://staging-inno-notification-2yrayayjeq-as.a.run.app
curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjY3MTk2NzgzNTFhNWZhZWRjMmU3MDI3NGJiZWE2MmRhMmE4YzRhMTIiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2ludGVybmFsLmRvY3MuZGF0YS5pbm5vdGVjaC52biIsImF6cCI6IjExNTU0OTkxNTEyODY5Mjg2MDYwOCIsImVtYWlsIjoic2EtdGVjaGllc0BzdG9ybS1zcGlyaXQuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZXhwIjoxNzE2NjE5Nzc4LCJpYXQiOjE3MTY2MTYxNzgsImlzcyI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbSIsInN1YiI6IjExNTU0OTkxNTEyODY5Mjg2MDYwOCJ9.ML8DhjJFyiOM2cmSOT0dG0a4kzot0j2iRaO*3V5fISoN1g6n7vqimhTABhtRyZvbIhKA*-nLciBQuPIWh-x084ml3bHkg_R7PkFxg7WpxU0m11QOKGWf30tPDtTco5Mh4XhXEmmMR3wvcXYscQjX0fpwGAfeopkGILBG7apEPYadIf4OI9wojFEaHGze2nGNoQu0S2rwuNsOgV10l254WAhFeML8PMMdjlS_e9NsC44wJJvLOfMLO5K85bKP76EiIewBl9g8IymahrUVQm-DMwA7hE5wjRWwkjyhAnAYPedvKh5Bdzm9K-4MHwYLybePF4a9cdJvQxmohi2K579wtQ" "https://staging-inno-notification-2yrayayjeq-as.a.run.app"
Replace ENDPOINT with the endpoint to reach your service, for example its custom domain or .run.app URL.
Confirm that the request is authorized and you see the expected response of your service.
Trigger CloudBuild¶
Required roles
Ref: https://cloud.google.com/build/docs/iam-roles-permissions
Source Reference¶
For Cloud Run:
https://cloud.google.com/run/docs/authenticating/overview
https://cloud.google.com/sdk/gcloud/reference/run/deploy
https://cloud.google.com/run/docs/authenticating/service-to-service
https://cloud.google.com/compute/docs/instances/verifying-instance-identity#token_format