Using IAM, is there any simple way to let a GCP console logged in user to access a Cloud Run URL?
The idea here is to have a lightweight way to protect the access to some URLs for people who are already logged in to the console.
So I don't want the world to have access, only my GCP users.
It seems that the options are either:
Setup IAP for Cloud Run => costly (load balancer) and not exactly simple
Setup the container to require authentication, generate a token from the console, use a browser extension and inject the said token on each request.
Note: I tried to setup a container as allowing non authenticated calls but removing the allUsers principal from the Invoker role and stick to a particular email address. The URL ended up still being available to non authenticated browsers.
Seems like a very simple use case but unless I am missing something, the options are all over-the-top.
Thanks,
Maybe this might work for you (don't necessarily know if it's the best architecture)
Deploy cloud run and ONLY allow for aunthenticated invocation
Create a very simple GAE project. Add login: required to app.yaml so that anyone trying to load the app is forced to login
Your GAE code can then invoke the cloud run endpoint. Your code will generate a token and include it as a header when making the call to the cloud run endpoint. See this documentation
Related
I have deployed a simple Cloud Run service with Flask and I want to limit the access to logged users in GCP only.
I have set the "Require authentication" option and added the cloud.run.invoker permission to myself, but I can't access the webserver.
However, if I make a curl request with the Authorization Bearer in it, I can see the HTML of the page. What am I missing in order to see the page in the explorer? I know you could do this with a load balancer but I prefer not to.
My objective is to allow GCP logged users to access a page hosted in Cloud Run
For this to work from the browser directly, you'll need to have an extension or something similar that will modify the HTTP request to add the header - much alike to what you're achieving with curl. This extension may be useful for your use-case.
This is mentioned in GCP documentation right here, just at the bottom of the page.
However this is not ideal, and if you want to authenticate any user coming in from GCP (i.e an internal user), refer to this doc. You can make use of Identity Aware Proxy to create an internal app that any user logged in and given permissions through GCP is going to be able to access.
I have a Cloud Function which i want to secure by allowing only access from my domain to all users. I am exploring this for days.
Google seems to limit many options and instead you are forced to buy and use more products, for example for this you need a Network Balancer, which is a great product but a monster to smaller businesses, and not everyone needs it (or wants to pay for it).
So, how do you secure a Function on the Console, without IAM (no signin needed), to only allow a certain domain calls before you expand to a Balancer ?
I do see that Google has something called Organization policies for project which supposed to restrict a domain, but the docs are not clear and outdated (indicate UI that doesn't exist)
I know that Firebase has the Anonymous User, which allow a Function to check a Google ID of an anonymous user, but everything online is a Firebase thing, and no explanation anywhere how to do this using normal Function with Python.
EDIT
I do use Firebase Hosting, but my Function is Python and it's handled from the GCP, not a Firebase Function.
Solved, you can use API Gateway, with API key, restrict the key to your domain only, and upload a config with your Function url, so you access it with a API url+key, and nobody else can just run it.
See here Cloud API Gateway doesn't allow with CORS
I wish i could connect it to a domain as well, but we can't, google seems to want everyone to use the expensive Balancer, or Firebase (charged in this case on a Function use for every website visit)
GCP seems to allow you to delegate Cloud Storage authentication via IAM and that's great but you're only able to ever get a single file at a time using that method.
What I mean is, if I gave permissions to a user to have 'Storage Object Viewer' Role to a folder in a bucket, then a user would be able to browse to a single file (let's say an .html file) using https://storage.cloud.google.com/bucket-name/folder-name/filename and display that, but if that .html file contains .css or other files it needs the user to download then those all return 404 not found errors.
It seems that whatever token is obtained upon authentication is only valid for the retrieval of the single file that was requested before the token was created.
How does one host a static website, with some form of authentication in GCP Cloud Storage?
I did see a question similar to this asked over 5 years ago and thought GCP has changed considerably since then so that's why I'm re-asking.
Edit: Ok, let's assume I'm okay with public read-only access to bucket contents, and instead I'm going to focus on securing the GCP Cloud Functions which make the changes.
Now, I've enabled authentication on the GCP functions and used OAuth ID Token. The issue is now CORS. Any calls made to the GCP functions need a CORS access-control-allow-origin header, but that header does not get returned until AFTER the authentication.
Anybody know how to enable CORS on GCP Cloud Functions before any authentication takes place?
Thanks!
You can host your static files on App Engine. The content is served for free!
In front of App Engine, you can activate IAP.
Finally, grant your user (or groups, or Google Workspace domains) the role IAP-Secured Web App User.
I have a CLI tool that interacts with Google KMS. In order for it to work, I fetch the user credentials as a JSON file which is stored on disk. Now a new requirement came along. I need to make a web app out of this CLI tool. The web app will be protected via Google Cloud IAP. Question is, how do I run the CLI tool on behalf of the authenticated user?
You don't. Better use a service-account and assign the required role. That service account still could have domain-wide delegation of rights (able to impersonate just any user, which is known).
Running CLI tools from a web-application probably also could/should be avoided. Iit might be better to convert his CLI tool into a Cloud Function and then call it via HTTP trigger, from within the web-application (so that access to the service account is limited as far as possible).
This might also be something to reconsider, security-wise:
I fetch the user credentials as a JSON file which is stored on disk.
Even if it might have been required, with a service-account it wouldn't.
I'm a beginner to AWS and a bit confused regarding the AWS Cognito system.
I have an AWS Elasticsearch service behind a VPC. I'm trying to access the Kibana endpoint using AWS Cognito, but when I navigate to the log in screen I see a blank page.
Is what I'm trying to do feasible or do I need to VPN first into the VPC in order to get to the log in screen? If so, how can I grant public users access to Kibana (without the trouble of a VPN?) Would a better solution be to have a reverse proxy point to Kibana and couple this with AWS Cognito? Thanks for your help.
Note: I'm using Elasticsearch 6.2
I had the same output while I was setting up the same setup but don't remember exactly which stage solved it.
At this stage it looks like you already set your access policy to use the Cognito role otherwise you wouldn't end up on the cognito login page (even though blank for now).
I would check the identity provider config on the Cognito User Pool App client settings:
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html#es-cognito-auth-identity-providers
It wasn't linked to a lack of access (ie. no VPN) or a missing UI customization and it's definitely achievable.
Let me know if you want me to look deeper into it.
EDIT: when i go directly to the domain url of my cognito pool (ie. https://yourdomain.auth.your-region.amazoncognito.com) I still get a blank page. It's only when going to the protected application (kibana) that the login page is filled in (probably linked to the above app client settings).
I created a wiki page in my GitHub Repo because I did this EXACT (Public ESS and Cognito) same thing over the last couple days. You can get the info HERE and I hope it helps clear things up!