Hi All,
I have already implemented Southbound infrastructure for Apigee and able to make unauthenticated requests to the Cloud Run. However, when trying to make authenticated requests via Google ID Token we encounter a 401 unauthorized error.
Current State
This is what our infrastructure is based on
https://cloud.google.com/blog/products/serverless/connecting-to-cloud-run-from-apigee-x-using-psc
Attached is an XML file of our proxy for the target endpoint (with the Cloud Run URL removed but we know the one we're using is correct). We believe this should be working for authenticated requests - is there any change config we need to do on cloud run side or addition to be made for the proxy?
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TargetEndpoint name="default">
<Description/>
<FaultRules/>
<PreFlow name="PreFlow">
<Response/>
</PreFlow>
<PostFlow name="PostFlow">
<Request/>
<Response/>
</PostFlow>
<Flows/>
<HTTPTargetConnection>
<Properties/>
<LoadBalancer>
<Server name="server-name"/>
</LoadBalancer>
<Authentication>
<HeaderName>X-Serverless-Authorization</HeaderName>
<GoogleIDToken>
<Audience>Cloud Run URL</Audience>
</GoogleIDToken>
</Authentication>
</HTTPTargetConnection>
</TargetEndpoint>
What we want to do
Since there are multiple Cloud Run we want to be able to send authenticated requests via a single API Proxy instead of creating one for each cloud run in the backend which is not scalable or sustainable.
Our Endpoints all follow the structure - https://domain/base-path/name-of-cloud-run-service
Thanks,
Soham
On the cloud run side you should grant and add cloud run invoker to the Service Account that you created and used on Apigee side when you deploy the apiproxy.
gcloud functions add-invoker-policy-binding "$CLOUD_FUNCTION_NAME" \ --member="serviceAccount:${SA_EMAIL}" \ --region="$CLOUD_FUNCTIONS_REGION" \ --project="$CLOUD_FUNCTIONS_PROJECT"
You can refer to this community post.
https://www.googlecloudcommunity.com/gc/Apigee/Apigee-To-Cloud-function-Auth/m-p/718705#M78728
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |