如何从 App Engine 前端查询 Google Cloud Platform 的元数据服务器以获取计算引擎后端的身份令牌 (JWT)?
[英]How to query Google Cloud Platform's metadata server from App Engine frontend to get an identity token (JWT) for Compute engine backend?
问题描述
We currently have an Angular 9 GCP App Engine instance on the frontend and a Django GCP Cloud Run service on the backend for our project.
目前,我们的项目在前端有一个 Angular 9 GCP App Engine 实例,在后端有一个 Django GCP Cloud Run 服务。 We would like to have the Angular app query GCP for a JWT token from the metadata server, which we will put in the header for each request to the backend.我们希望 Angular 应用程序查询 GCP 以获取来自元数据服务器的 JWT 令牌,我们将为每个后端请求放入 header 令牌。 Upon querying according to this page , we keep getting the following "Mixed Content" error.根据此页面查询后,我们不断收到以下“混合内容”错误。
Mixed Content: The page at {our App Engine url} was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience={audienceName}'. This request has been blocked; the content must be served over HTTPS.
We have tried to use the https version of the above GCP metadata url, which does not exist.我们尝试使用上述 GCP 元数据 url 的 https 版本,该版本不存在。 In theory we should be able to retrieve this metadata since a GCP instance, the GCP App Engine app, is talking to the GCP Compute Engine backend.理论上,我们应该能够检索此元数据,因为 GCP 实例(GCP App Engine 应用程序)正在与 GCP Compute Engine 后端通信。 Does anyone have experience making this query from the UI to get a token to set in requests to the backend?有没有人有从 UI 进行此查询以获取令牌以在对后端的请求中设置的经验?
1 个解决方案
解决方案1
0 已采纳 2020-08-10 19:35:48
Even if you Angular9 app is hosted on App Engine, the code (the TS code, translated in Javascript) doesn't run on App Engine, but it runs on the client browser.即使您的 Angular9 应用程序托管在 App Engine 上,代码(TS 代码,用 Javascript 翻译)也不会在 App Engine 上运行,而是在客户端浏览器上运行。
Ok, you are surely aware about this, but that will help me to explain you simpler your issue.好的,您肯定知道这一点,但这将帮助我解释您更简单的问题。 You try to call an internal Google URL ( http://metadata.google.internal/... ).您尝试调用内部 Google URL ( http://metadata.google.internal/... )。 And thus, your Angular app, on your user browser, can't reach this API.因此,您的用户浏览器上的 Angular 应用程序无法访问此 API。
The good pattern is not this one.好的模式不是这个。 You have to expose an API on backend (appEngine or elsewhere, Cloud Functions or Cloud Run) that accepts the requests coming from your Angular9 app (according with your service requirement, the request can be authenticated (with firebase auth for example) or not).您必须在接受来自 Angular9 应用程序的请求的后端(appEngine 或其他地方,Cloud Functions 或 Cloud Run)上公开 API(根据您的服务要求,可以对请求进行身份验证(例如使用 firebase 身份验证)或不) .
Then your backend, hosted on Google Cloud, can request the metadata server and then generate a token to reach other services.然后,托管在 Google Cloud 上的后端可以请求元数据服务器,然后生成令牌以访问其他服务。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.