google-cloud-platformgoogle-cloud-rungoogle-cloud-consolegoogle-cloud-vm

Gating a custom docker container in VM instance container with the same authentication and authorization of Google Cloud Run instance

Let me explain the current scenario that we have setup, so I can better explain what I want to achieve:

Currently, I have a working GC Run instance running that requires authentication. As you might know, in order to authenticate and make requests to this GC Run instance, you need to authenticate as a service account or as a user with a access token.

The first case is useful for Google services, or even other external services to make requests to the GC Run instance. You can obtain credentials for a service account on Google Console IAM page, and you can use it to identify a backend service as this service. We use this to authenticate an external backend routine that makes requests to this GC Run instance when some relevant stuff changes in the database.

This backend routine gets the client to make requests with the following:

const {URL} = require('url');
const googleAuthLib = require('google-auth-library');
  
const targetAudience = new URL(process.env.URL_OF_GCRUN_INSTANCE);
const credentials = JSON.parse(process.env.CREDENTIALS_SECRET);
const auth = new googleAuthLib.GoogleAuth({credentials});
const client = await auth.getIdTokenClient(targetAudience);

The second case is useful to make some requests yourself, as a developer, to the running instance. I usually use gcloud auth print-access-token to make some tests. For both of these scenarios, the credentials need the "Cloud Run Invoker" permission to make requests.

Now, to explain what we want: We want to migrate this GC Run instance to a GC VM instance with a container. This container will serve the same application as the GC Run instance, in a port (let's say it's port 9091).

So far we relied on GC authentication to gate the requests: no one could make requests to the GC Run instance without proper authentication and authorization. We want the same now: we want the requester (be it a service or a person) to be gated by the same authorization that we had with GC Run instance. This will give us two main advantages: no changes in the application source code, and the already running services will also not change.

So, how can we achieve this? With a different base image in our custom image? Or with a Google Cloud service? Or any other way?

Solution

  • It seems (I've never used it) to me like just putting an http load balancer in front of your VM and enabling IAP on it should do.

    https://cloud.google.com/iap/docs/concepts-overview

    You could also just verify the JWT token yourself in your application, authentication is easy, but this will be a lot more effort to get the authorization part done.