0

I have a recurring Cron scheduler that invokes a method in a Google Cloud Platform App Engine Flex Service (.net core web API say APP1) which in turn calls another one of our Google Cloud Platform App Engine Flex Services (another .net core web API say APP2) endpoints (eg: /v1/api/test)

My question is how would I go about restricting access to this particular APP2 endpoint to just APP1? Do I have to use Cloud Endpoints to achieve this? Bear in mind that APP2 has other endpoints that are open to public.

Nibrass H
  • 2,403
  • 1
  • 8
  • 14
Newbie
  • 157
  • 4
  • 15
  • cloud endpoints could be you best shot since they support this natively, or you can implement your authentication mechanism, maybe using a service account credentials – Pievis Jan 09 '20 at 08:52

2 Answers2

1

To restrict access from Service app2 to service app1, but not to general public, you have to use Cloud Endpoints. In order to do it, follow the next steps:

1) You've to create an openapi-appengine.yaml file going to Cloud Endpoints. Configure it as following:

  swagger: '2.0'
  info:
    title: Cloud Endpoints
    description: Sample API on Cloud Endpoints with a Cloud Run backend
    version: 1.0.0
  host: endpoint-service.appspot.com   ---> you've to put your service URL
  x-google-allow: all
  schemes:
    - https
  produces:
    - application/json
  paths:
    /resdticted-endpoint-1:             --> Here you've to put all the endpoints you want to restrict
      get:
        summary: Greet a user
        operationId: hello
        responses:
          '200':
            description: A successful response
            schema:
              type: string
        security:
          - DEFINITION_NAME: []

    /resdticted-endpoint-2:
      get:
        summary: Greet a user
        operationId: hello
        responses:
          '200':
            description: A successful response
            schema:
              type: string
        security:
          - DEFINITION_NAME: []

securityDefinitions:                      
  DEFINITION_NAME:
    authorizationUrl: ""
    flow: "implicit"
    type: "oauth2"
    x-google-issuer: "SA_EMAIL_ADDRESS"   --> Here you've to add a Service Account, in case you don't have any, create a new one
    x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/SA_EMAIL_ADDRESS"  --> put your service account name at the end

2) Then, go to App2 service: - Add your service name to the app.yaml file:

   endpoints_api_service:
   # The following values are to be replaced by information from the output of
   # 'gcloud endpoints services deploy openapi-appengine.yaml' command.
   name: ENDPOINTS-SERVICE-NAME
   rollout_strategy: managed

  • Replace ENDPOINTS-SERVICE-NAME with the name of your Endpoints service. This is the same name that you configured in the host field of your OpenAPI document. For example:

    endpoints_api_service: name: example-project-12345.appspot.com rollout_strategy: managed

3) Finally continue this Official Documentation in order to authenticate between services.

Nibrass H
  • 2,403
  • 1
  • 8
  • 14
  • Would this let me restrict just specific endpoints while letting the others be accessible to general public? – Newbie Jan 09 '20 at 17:08
  • Yep. This is exactly what I ended up doing. Now I'm stuck at the JWT part. Posted it as another question if you want to take a look at it. https://stackoverflow.com/questions/59687609/google-cloud-endpoints-invalid-jwt-signature-net-core. Thanks! – Newbie Jan 10 '20 at 19:06
0

You can use X-Appengine-Inbound-AppId to check the source APP when you call private end-point.

Please refer doc

Vikram Shinde
  • 1,022
  • 6
  • 17
  • It looks like that only comes in via URL Fetch Service. Don't think it's supported in .net core. – Newbie Jan 09 '20 at 15:02
  • You can create your own url_fetch service and call from APP1 to APP2 using AuthorizedSession (https://cloud.google.com/docs/authentication/production) and call APP2. In APP2, you can check the request token for the private end-point. – Vikram Shinde Jan 09 '20 at 15:32