4

I would like to set up an auth policy on a GRPC service through Istio.

Currently, it's possible to add the policy on regular HTTP services, as you can use the Authorization header to pass the JWT token to the service. I'm a bit lost as it doesn't seem to be a similar policy for GRPC services (where you could include the token in the metadata of the request).

Has anyone managed to add an auth policy to a GRPC service managed by Istio?

Thomas Krajacic
  • 2,488
  • 1
  • 21
  • 25
odino
  • 1,069
  • 11
  • 27

1 Answers1

0

You can achieve Authorization Header parsed to md['authorization'] for you if you use JSON-to-GRPC Gateway as a middleware between istio ingress and grpc service.

JSON-to-GRPC Gateway source-code line where HTTP Header Authorization is parsed and appended to pairs that will become metadatas:

for key, vals := range req.Header {
    for _, val := range vals {
        if key == "Authorization" {
            pairs = append(pairs, "authorization", val)
            continue
        }

PS.: If there's a way use a custom middleware function in istio itself, you could replicate the grpc-gateway logic to achieve the same behaviour.

that can later be accessed in the grpc-service via context like this:

// retrieve metadata from context
md, ok := metadata.FromContext(ctx)

md["authorization"]
vcorrea
  • 101
  • 2
  • 8
  • The question is looking for a solution where a grpc client sends an authorization header to the grpc server and how to use Istio to intercept and validate the jwt token. – user3739116 Sep 01 '22 at 18:39