[英]Getting 403 when connecting to a Cloud Run service when using a Serverless VPC Connector
I have a service on Cloud Run ( Service A ) who is trying to call another service on Cloud Run ( Service B ).我在Cloud Run ( Service A ) 上有一个服务,它试图在Cloud Run ( Service B ) 上调用另一个服务。 Both the services are in us-east1.这两项服务都在 us-east1 中。 For Service B , Ingress is set to 'Allow internal traffic only' and Authentication is set to 'Allow unauthenticated invocations.对于Service B ,入口设置为“仅允许内部流量”,身份验证设置为“允许未经身份验证的调用”。
I created a Serverless VPC Connector in the same region as the services and set the IP address range to 10.8.0.0/28.我在与服务相同的区域中创建了一个无服务器 VPC 连接器,并将 IP 地址范围设置为 10.8.0.0/28。
I then connected Service A to the connector mentioned above and set 'Route only requests to private IPs through the VPC connector'.然后,我将服务 A连接到上述连接器,并设置“仅通过 VPC 连接器将请求路由到私有 IP”。
I seem to be getting a 403 when attempting to hit the service.尝试访问该服务时,我似乎收到了 403。 Has anyone had this issue?有人遇到过这个问题吗? If so, how did you solve this problem?如果是这样,你是如何解决这个问题的?
You need to set the egress to All, to route all the traffic to the serverless VPC connector.您需要将出口设置为全部,以将所有流量路由到无服务器 VPC 连接器。
Indeed, even if you set the service B to internal egress, the Cloud Run service is still exposed publicly, but an additional check is performed on the requests that come in to validate the traffic origin (comes from your VPC or not).事实上,即使您将服务 B 设置为内部出口,Cloud Run 服务仍会公开公开,但会对传入的请求执行额外检查以验证流量来源(是否来自您的 VPC)。
In your case, in the service A, with the private range only egress, you route only the traffic going to private IP, and it's not the case of the always-publicly-exposed "internal" service B.在您的情况下,在服务 A 中,只有私有范围的出口,您只将流量路由到私有 IP,而始终公开暴露的“内部”服务 B 的情况并非如此。
I am guessing that the code 403 you are getting it from the cloud run service and that is a problem with the authentication, so to solve that error code you could follow this link , there you will find a detail explanation of how authenticated users for you services.我猜你是从云运行服务获得的代码 403,这是身份验证的问题,所以要解决这个错误代码,你可以点击这个链接,在那里你会找到如何为你验证用户的详细说明服务。
I was able to fix this issue.我能够解决这个问题。 This must be used when you have to use authenticated user to access cloud run application当您必须使用经过身份验证的用户访问云运行应用程序时,必须使用此选项
Accessing Authenticated Cloud Run applications using IAP 使用 IAP 访问经过身份验证的 Cloud Run 应用
It means that your client is not authorized to invoke this service.这意味着您的客户端无权调用此服务。 You can address this by taking one of the following actions:您可以通过以下操作之一解决此问题:
Please find the link that might help in troubleshooting this error .请找到可能有助于解决此错误的链接。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.