Go to Qiita Advent Calendar 2024 Top
LoginSignup
4
4

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@wwalpha

【GCP】CloudRun のサービス間の認証 - Https

Posted at

サービス間の認証とは

他のサービスから API の使用や、サービス間で安全な通信を行うための手段であります。内部用の API 一般公開してしまうと、セキュリティー面はあまりよくありませんね。

実装前の準備

  • クライアント用のサービスアカウントの作成
  • CloudRun のデポロイ
  • Cloud Shell のユーザ(GCPログイン者)に Service Account Token Creator の権限を付与

サービスアカウントの権限付与

準備したテストサービスアカウントは、cloudrun-tester@PROJECT_ID.iam.gserviceaccount.com
※ PROJECT_ID は各プロジェクトのIDとなります。

1.png

2.png

CloudRunにアクセスため、Cloud Run Invokerの権限付与

3.png

認証トークンの作成 - Cloud Shell

PROJECT_IDCLOUDRUN_URL を書き換えれば、実行できます。
※ トークンは、1 時間(3,600 秒間)有効です

export PROJECT_ID=xxxxxx-xxxxx-xxxx
export CLOUDRUN_URL=https://backend-xxxxxxxxxx-an.a.run.app

gcloud auth print-identity-token \
  --impersonate-service-account="cloudrun-tester@$PROJECT_ID.iam.gserviceaccount.com" \
  --audiences="$CLOUDRUN_URL"

WARNING: This command is using service account impersonation. All API calls will be executed as [cloudrun-tester@digital-human-dev.iam.gserviceaccount.com].
eyJhbGciOiJSUzI1NiIsImtpZCI6ImY5ZDk3YjRjYWU5MGJjZDc2YWViMjAwMjZmNmI3NzBjYWMyMjE3ODMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2JhY2tlbmQtZmduNGx0aGJoYS1hbi5hLnJ1bi5hcHAiLCJhenAiOiIxMDc0MTgzO
TE0NDU3MjU0NjkzODMiLCJleHAiOjE1ODcwMTU0OTMsImlhdCI6MTU4NzAxMTg5MywiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTA3NDE4MzkxNDQ1NzI1NDY5MzgzIn0.Szr3pinUfdxpj2GY18SyflzDJoHhvY66x
mCU3I5dAnY1VHcfudCK9ytou6yK3oIPgngn2Mmr2JvHkdQp9iXyWmVpAN2C45Lc1jCqeZOWmIXu4QrfJiwh6-9Daaieqnnj7wBrXirWs1-81Pyti1qtMaOxMkbCN6D912dxSI9mxnD2Ml3REcAHseQ7zgewJ8fTiceluChJuboPpK2M0sbuXHaMwm-
c630bYbLy44-dgXutVEQN1i6kWb2q4TeNoMcGRHQx593Y82RyLcxUhlLrpm3YIqYhKZFmlf09gY0wbsW9IZ2D-_nzcSemVoF1TWcZTix770MF3Hp2nvt5LOf-tA

認証トークンの検証

認証なしのアクセス

curl https://backend-xxxxxxxxxx-an.a.run.app/version

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>403 Forbidden</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Forbidden</h1>
<h2>Your client does not have permission to get URL <code>/version</code> from this server.</h2>
<h2></h2>
</body></html>

認証ヘッダ付きのアクセス

curl -H \
  "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImY5ZDk3YjRjYWU5MGJjZDc2YWViMjAwMjZmNmI3NzBjYWMyMjE3ODMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2JhY2tlbmQtZmduNGx0aGJoYS1hbi5hLnJ1bi5hcHAiLCJhenAiOiIxMDc0MTgzOTE0NDU3MjU0NjkzODMiLCJleHAiOjE1ODcwMTU0OTMsImlhdCI6MTU4NzAxMTg5MywiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTA3NDE4MzkxNDQ1NzI1NDY5MzgzIn0.Szr3pinUfdxpj2GY18SyflzDJoHhvY66xmCU3I5dAnY1VHcfudCK9ytou6yK3oIPgngn2Mmr2JvHkdQp9iXyWmVpAN2C45Lc1jCqeZOWmIXu4QrfJiwh6-9Daaieqnnj7wBrXirWs1-81Pyti1qtMaOxMkbCN6D912dxSI9mxnD2Ml3REcAHseQ7zgewJ8fTiceluChJuboPpK2M0sbuXHaMwm-c630bYbLy44-dgXutVEQN1i6kWb2q4TeNoMcGRHQx593Y82RyLcxUhlLrpm3YIqYhKZFmlf09gY0wbsW9IZ2D-_nzcSemVoF1TWcZTix770MF3Hp2nvt5LOf-tA" \
  https://backend-fgn4lthbha-an.a.run.app/version

v3.1.0
4
4
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
4
4

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?