使用 GCP Compute Engine 作为 Authenticated Cloud Run Service 的代理

Question

I currently have a dockerized web application hosted on a Google Cloud Compute Instance, which is only accessible from our companies private network. This set up has worked well over the past year, but with additional development requirements and increased usage, I find myself constantly modifying the instances size, and having to restart the server with new updates. Also, other developers on the team have less experience with deploying this code which makes this app my responsibility.

I'd like to move this application to Cloud Run for scalability, ease of maintenance and deployments but still have it accessible only on our companies network. My idea was to move the application to an authenticated cloud run service and use the original server as an nginx proxy that would add an authentication header and forward the request to the cloud run service.

My question would be how would I use nginx to get the token (the server will have the necessary permissions), and add it to the request before passing it to the app. This is my current idea, but not sure where to go from here.

location / {
    proxy_set_header Authentication "Bearer $ID_TOKEN";
    proxy_pass https://the-library-clwysxi3sq-ue.a.run.app;
}

Answer 1

You're on the right track.

At this point, I recommend you to consider using Envoy Proxy instead of NGINX. Envoy has a well-documented protocol to fetch dynamic data such as $ID_TOKEN from an external source.

Whatever solution you choose, make sure you actually end up rewriting the "Host" header to your [...].run.app hostname, because if you preserve the hostname as is ( somedomain.com ), Cloud Run's load balancer won't know which app to route it.

The remaining task is to figure out how to get the $ID_TOKEN dynamically.

Google Compute VM instance needs to retrieve an identity token (JWT) by querying the instance metadata service:

curl -H "Metadata-Flavor: Google" \
  http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://hello-2wvlk7vg3a-uc.a.run.app

Make sure to replace the value of ?audience= with the targeted service's URL.

The response body of this call returns a JWT token that expires within an hour. You should cache this response (based on audience, and TTL<60 mins), or simply get a new one every time.

Note that on Cloud Run, you can only generate 50 identity tokens per second currently. However you are running on GCE (and I'm repeating myself here ) I don't think there's a documented rate limit for metadata service on GCE. It's likely higher .

Then, you need to add it to the outgoing request (to Cloud Run) as an HTTP header:

Authorization: Bearer <TOKEN>

This procedure is explained at Service-to-service authentication documentation.

You can search Stack Overflow or Google on how to execute a Lua or Bash script in NGINX for every request.