Unable to protect Cloud Run with cloud.run.invoker permission - google-cloud-platform

I have deployed a simple Cloud Run service with Flask and I want to limit the access to logged users in GCP only.
I have set the "Require authentication" option and added the cloud.run.invoker permission to myself, but I can't access the webserver.
However, if I make a curl request with the Authorization Bearer in it, I can see the HTML of the page. What am I missing in order to see the page in the explorer? I know you could do this with a load balancer but I prefer not to.
My objective is to allow GCP logged users to access a page hosted in Cloud Run

For this to work from the browser directly, you'll need to have an extension or something similar that will modify the HTTP request to add the header - much alike to what you're achieving with curl. This extension may be useful for your use-case.
This is mentioned in GCP documentation right here, just at the bottom of the page.
However this is not ideal, and if you want to authenticate any user coming in from GCP (i.e an internal user), refer to this doc. You can make use of Identity Aware Proxy to create an internal app that any user logged in and given permissions through GCP is going to be able to access.

Related

okta deep link to page in AWS Console

I'm using okta as my identity provider to get access to my aws accounts. I can get links to log in to the default console page with the different roles which I have set up.
I want to be able to create deep links to specific pages in the aws console. For example a deep link to a cloudwatch dashboard for a specific account and role. Anyone with the appropriate permissions in okta should be able to use this link to go directly to that page.
Is there an integration that provides this out of the box? Any docs that can help me set this up?
I initially thought this would be something super common and easy... All I have found is this blog post with expired links https://aws.amazon.com/blogs/security/how-to-use-saml-to-automatically-direct-federated-users-to-a-specific-aws-management-console-page/
You should be able to put your AWS console URL as urlEncoded_RelayState in the following:
https://{{oktaDomain}}/sso/idps/{{idpId}}?fromURI={{urlEncoded_IDPLoginURL?RelayState={{urlEncoded_RelayState}}}}
https://support.okta.com/help/s/article/SSO-into-SAML-app-with-RelayState-via-OpenID-Connect-Identity-Provider?language=en_US

Access Cloud Run URL for GCP authenticated users

Using IAM, is there any simple way to let a GCP console logged in user to access a Cloud Run URL?
The idea here is to have a lightweight way to protect the access to some URLs for people who are already logged in to the console.
So I don't want the world to have access, only my GCP users.
It seems that the options are either:
Setup IAP for Cloud Run => costly (load balancer) and not exactly simple
Setup the container to require authentication, generate a token from the console, use a browser extension and inject the said token on each request.
Note: I tried to setup a container as allowing non authenticated calls but removing the allUsers principal from the Invoker role and stick to a particular email address. The URL ended up still being available to non authenticated browsers.
Seems like a very simple use case but unless I am missing something, the options are all over-the-top.
Thanks,
Maybe this might work for you (don't necessarily know if it's the best architecture)
Deploy cloud run and ONLY allow for aunthenticated invocation
Create a very simple GAE project. Add login: required to app.yaml so that anyone trying to load the app is forced to login
Your GAE code can then invoke the cloud run endpoint. Your code will generate a token and include it as a header when making the call to the cloud run endpoint. See this documentation

Twitter callback not working with Cloud Run

I'm trying to create a website to make F1 predictions with flask
We started developing in Heroku, and the twitter API is already configured, you can check
https://demoflaskdance.herokuapp.com/
But now we are moving to Cloud Run as Heroku does not support pyodbc. We deployed our project, with the same code, and added to apps.twitter.com the urls, but when trying to log in with the link that google provided https://demo-flask-dance-kjomqyaifq-ew.a.run.app
we get an error and says that the URL is not authorized
Any help? Thanks
If your Cloud Run application does not require authenticated access, enable public access.
Go to the Google Cloud Console.
Select the service you want to make public.
Click Show Info Panel in the top right corner to show the Permissions tab.
In the Add members field, allUsers
Select the Cloud Run Invoker role from the Select a role drop-down menu.
Click Add.
Allowing public (unauthenticated) access
If you require authenticated access see this document:
Authentication overview

Is there any way to host a public static website in GCP Cloud Storage and protect it using a username and password?

GCP seems to allow you to delegate Cloud Storage authentication via IAM and that's great but you're only able to ever get a single file at a time using that method.
What I mean is, if I gave permissions to a user to have 'Storage Object Viewer' Role to a folder in a bucket, then a user would be able to browse to a single file (let's say an .html file) using https://storage.cloud.google.com/bucket-name/folder-name/filename and display that, but if that .html file contains .css or other files it needs the user to download then those all return 404 not found errors.
It seems that whatever token is obtained upon authentication is only valid for the retrieval of the single file that was requested before the token was created.
How does one host a static website, with some form of authentication in GCP Cloud Storage?
I did see a question similar to this asked over 5 years ago and thought GCP has changed considerably since then so that's why I'm re-asking.
Edit: Ok, let's assume I'm okay with public read-only access to bucket contents, and instead I'm going to focus on securing the GCP Cloud Functions which make the changes.
Now, I've enabled authentication on the GCP functions and used OAuth ID Token. The issue is now CORS. Any calls made to the GCP functions need a CORS access-control-allow-origin header, but that header does not get returned until AFTER the authentication.
Anybody know how to enable CORS on GCP Cloud Functions before any authentication takes place?
Thanks!
You can host your static files on App Engine. The content is served for free!
In front of App Engine, you can activate IAP.
Finally, grant your user (or groups, or Google Workspace domains) the role IAP-Secured Web App User.

Connecting to VPC-based Kibana using AWS Cognito

I'm a beginner to AWS and a bit confused regarding the AWS Cognito system.
I have an AWS Elasticsearch service behind a VPC. I'm trying to access the Kibana endpoint using AWS Cognito, but when I navigate to the log in screen I see a blank page.
Is what I'm trying to do feasible or do I need to VPN first into the VPC in order to get to the log in screen? If so, how can I grant public users access to Kibana (without the trouble of a VPN?) Would a better solution be to have a reverse proxy point to Kibana and couple this with AWS Cognito? Thanks for your help.
Note: I'm using Elasticsearch 6.2
I had the same output while I was setting up the same setup but don't remember exactly which stage solved it.
At this stage it looks like you already set your access policy to use the Cognito role otherwise you wouldn't end up on the cognito login page (even though blank for now).
I would check the identity provider config on the Cognito User Pool App client settings:
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html#es-cognito-auth-identity-providers
It wasn't linked to a lack of access (ie. no VPN) or a missing UI customization and it's definitely achievable.
Let me know if you want me to look deeper into it.
EDIT: when i go directly to the domain url of my cognito pool (ie. https://yourdomain.auth.your-region.amazoncognito.com) I still get a blank page. It's only when going to the protected application (kibana) that the login page is filled in (probably linked to the above app client settings).
I created a wiki page in my GitHub Repo because I did this EXACT (Public ESS and Cognito) same thing over the last couple days. You can get the info HERE and I hope it helps clear things up!