I am developing an application where i have hosted the frontend in cloud run: public access, no authentication
Another cloud run service has the backend. This requires authentication and is not open to public.
Ofcourse, if I disable authentication on backend service, everything works smoothly.
Is it possible to access the backend with authentication enabled from the frontend cloud run service?
Both the services are in the same serverless VPC.
As captured in the official doc, frontend can securely and privately invoke backend by leveraging the Invoker IAM role:
Grant the service account of frontend the Cloud Run Invoker IAM role.
When you issue request from frontend to backend, you must attach an identity token to the request, see here for code examples
To connect two Cloud Run applications privately, you need to obtain an identity token, and add it to the Authorization header of the outbound request of the target service. You can find documentation and examples here.
For Cloud Run service A (running with service account SA1) to be able to connect to private Cloud Run service B, you need to:
Update IAM permissions of service B to give SA1 Cloud Run Invoker role (roles/run.invoker).
Obtain an identity token (JWT) from metadata service:
curl -H "metadata-flavor: Google" \
http://metadata/instance/service-accounts/default/identity?audience=URL
where URL is the URL of service B (i.e. https://*.run.app).
Add header Authentication: Bearer where is the response obtained in the previous command.
Related
I am trying to add an authentication method to AWS OpenSearch.
By default it comes with basic auth with internal db,
I would like to configure Security Plugin with a second authentication mechanism OpenId Connect
Documentation says to use Update Security Configuration , which doesn't seem to be allowed by AWS.
tried PUT _plugins/_security/api/securityconfig and PUT _plugins/_security/api/securityconfig/authc both seems to be failing with {"Message":"Your request: '/_plugins/_security/api/securityconfig/authc' is not allowed."}
Is there an alternative, all I want to do is , use JWT Token(from OpenID Connect Cognito) to run OpenSearch _search API, rather than using internal database basic auth or IAM Role from Federated Pool.
AWS Opensearch has blocked apis for updating security configuration which is why you see the error. The documentation you have linked is applicable when using opensearch security plugin for your self hosted opensearch service and not AWS hosted solution.
I am not sure if this will be helpful to you but this blog does talk about using OpenId Connect along with AWS Cognito for opensearch auth: https://aws.amazon.com/blogs/apn/use-amazon-opensearch-service-with-kibana-for-identity-federation-auth0/
I am setting up a DAG in Cloud Composer that triggers a number of Cloud Run and Cloud Function services. The service account specified in the Cloud Composer Environment (a user created SA) definitely has permissions to invoke both Cloud Run and Cloud Function services, however the Cloud Run functions are giving the following error:
The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating
The tasks are like so:
#t1 as request first report
big3_request = SimpleHttpOperator(
task_id= "big3_request",
method='GET',
http_conn_id='trigger_cloud_run_service_conversions_big_3',
endpoint='',
response_check = lambda response: True if response == ("ok", 200) else False
)
I would have thought that the cloud composer environment would be able to use the service accounts IAM roles, but this doesn't seem to be the case. What do I need to do here to enable the services to run? It looks like I can add the keyfile of the service account to the connection, but I don't see why this should be necessary if the same service account is used in the CC environment?
Your service (your SimpleHttpOperator task running in cloud composer) needs to provide authentication credentials in the request. More precisely it needs to
add a Google-signed OpenID Connect ID token as part of the request
You can find here in the official Google doc, different methods to provide such token and a proper request to your Cloud Run service endpoint.
For example, suppose I created
Users in Azure AD
Application in Azure for a restful API
API Management Service which delegated to this application when validating a token in requests (scope)
Then, I switched to AWS API Gateway RestAPI as my API front end gateway, but still have my users defined in AzureAD.
How can I add authentication to the AWS RestAPI such that requests with tokens are validated against the users and scopes defined in Azure AD application?
Said another way, If I was to go with Azure API Management service, I could create an application in azure, add users to that application, add roles to users within that application, and once I setup the API within the api management service instance, point to this application when validation tokens.
Is it possible to use AWS RestAPI and authenticate requests against an Azure AD app with the mix of technologies I described above?
Perhaps another way of asking this would be to ask:
How do I setup authentication with AWS RestAPI with https://auth0.com/?
The same area of the policy to update may be the same. Any insight is appreciated.
The comparable substitute in Azure is here
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad#configure-a-jwt-validation-policy-to-pre-authorize-requests
I see some docs for HTTP APIs here https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html But I am specifically looking for this type of feature in RestAPI
I have created a service account on Google Cloud Platform. I am using a standalone Java program which uses GCP Java Client API to get the Authentication Token ID by taking service account JSON file. By using the Token ID, I can create a compute instance.
I don't want to use Java API or gcloud tool, is there a REST API exists which takes required details and return Token ID?
I went through the GCP documentation and could not find any details for the authentication and authorization through REST using Service Account.
I have created a service account on Google Cloud Platform. I am using
a standalone Java program which uses GCP Java Client API to get the
Authentication Token ID by taking service account JSON file. By using
the Token ID, I can create a compute instance.
Using a service account is the correct and recommended method to authenticate and authorize software applications.
Note. The assumption here is that the software application is running on your systems under your control. If instead you are installing software on a user's desktop or system not under your control, then you would use Google OAuth 2.0 (Google Accounts) to obtain User Credentials to authorize your application.
Another method is to issue short-lived temporary credentials from a service account credential that are time limited. These short-lived credentials are created on your server and then handed to the client.
I don't want to use Java API or gcloud tool, is there a REST API
exists which takes required details and return Token ID?
You have the classic "Chicken or Egg" situation. You need credentials to authenticate and authorize otherwise anyone could create credentials. Google Service Account credentials provides this. To create service account credentials, use the Google Cloud Console or gcloud CLI to download the service account Json file.
I went through the GCP documentation and could not find any details
for the authentication and authorization through REST using Service
Account.
This question is confusing. Do you want to use Service Account credentials to authorize your Google API calls OR do you want to call a Google API to obtain credentials?
In the first case, once you create service account credentials, they are used to authorize your API calls. You add the Access Token to the HTTP header when making API calls.
For the second case, use Google OAuth 2.0 to obtain credentials. Google OAuth 2.0 uses Google Accounts for authentication. This method provides you with an Access Token (just like a service account) and a Refresh Token and Client ID token. You will need to add the Google Accounts user identity to your Google Cloud IAM which provides for authorization (privileges).
I have a client that has an on-prem AD Server... I am developing an application running through API Gateway that will use a custom authorizer to authorize the endpoints. The on-prem AD server will be used to authenticate internal users, thinking about deploying an AD server in AWS for external users and using some sort of "link" between the two to connect them.
I want to query AD to authenticate the users and then get their IAM roles to allow access the API. Is this a good implementation?
If you are able to run AD FS and expose it to Cognito, I would suggest looking into using Cognito Federated Identity and setting the Method to require AWS_IAM authorization. Here is a link to the docs for AD FS:
https://aws.amazon.com/blogs/mobile/announcing-saml-support-for-amazon-cognito/
Alternatively, if you can't run AD FS and are running AWS Directory Service for Microsoft Active Directory for some other purpose, you could create a trust relationship to your on-prem AD through a direct connect / VPN. You could then create a service which took the AD credentials and authenticated the user via LDAP (lambda function configured to used with a VPC). Finally a custom authorizer could be created that validated the token for subsequent calls and return an appropriate IAM policy.