Google Cloud Load Balancer Cloud Run 开发人员访问权限
[英]Google Cloud Load Balancer Cloud Run Developer Access
问题描述
I have a Google CloudRun Service, that is can be accessed either by the CloudRun URL or by a custom domain via a Load Balancer in the Google Cloud.
我有一个 Google CloudRun 服务,可以通过 CloudRun URL 或自定义域通过 Google Cloud 中的负载均衡器访问。
Now I am trying to setup some kind of access control, so that the Service which run the Development Stage can only be accessed by logged-in developers.现在我正在尝试设置某种访问控制,以便运行开发阶段的服务只能由登录的开发人员访问。
So far I tried to set the Trigger Configuration of the CloudRun Service to authentication required.到目前为止,我尝试将 CloudRun 服务的触发器配置设置为需要身份验证。 That works for the base CloudRun URL, but on adding a path to the base URL I get a Forbidden error, even if I could access the base URL. And Accessing the Service via the LoadBalancer always gives a Forbidden.这适用于基础 CloudRun URL,但是在添加到基础 URL 的路径时,我得到一个禁止错误,即使我可以访问基础 URL。并且通过 LoadBalancer 访问服务总是给出一个禁止。
Is there a way to make the CloudRun Service Accessible (including different Paths) only to LoggedIn Developers?有没有办法让 CloudRun 服务仅供登录的开发人员访问(包括不同的路径)?
And also is there a way to make the Service only accessible by the LoadBalancer URL and not the CloudRun URL?还有没有办法让服务只能由 LoadBalancer URL 而不是 CloudRun URL 访问?
2 个解决方案
解决方案1
3 2022-11-11 19:12:41
Once you require authentication, all requests need to include a token authorized to access the service via any endpoint.一旦您需要身份验证,所有请求都需要包含一个授权令牌,可以通过任何端点访问该服务。 You can check out more information here: https://cloud.google.com/run/docs/authenticating/developers您可以在此处查看更多信息: https://cloud.google.com/run/docs/authenticating/developers
There's also a tool in the gcloud CLI for Cloud Run to make this process easier. Cloud Run 的gcloud CLI 中还有一个工具可以简化此过程。 If you try gcloud beta run services proxy [your-service] , the service will be proxied to localhost, with your identity token included by default.如果您尝试gcloud beta run services proxy [your-service] ,该服务将被代理到本地主机,默认情况下包含您的身份令牌。
For restricting access only via the Load Balancing URL, There's an ingress setting (also settable under the 'triggers' tab).为了仅通过负载平衡 URL 限制访问,有一个入口设置(也可在“触发器”选项卡下设置)。 This can be set to 'internal and cloud load balancing'.这可以设置为“内部和云负载平衡”。
You can find more info here: https://cloud.google.com/run/docs/securing/ingress你可以在这里找到更多信息: https://cloud.google.com/run/docs/securing/ingress
解决方案2
0 2022-11-22 00:54:56
"Authentication required" for a Cloud Run service really means "Token required". Cloud Run 服务的“需要身份验证”实际上意味着“需要令牌”。 It checks that the right token is attached to the request, but it's up to you how to add that token.它会检查请求是否附加了正确的令牌,但如何添加该令牌取决于您。 Because of that I think it's mostly useful for machine-to-machine communication.因此,我认为它最适用于机器对机器的通信。 It doesn't provide a log-in user interface or client-side code that attaches tokens to users' requests.它不提供登录用户界面或将令牌附加到用户请求的客户端代码。
If you do want that, Identity Aware Proxy can provide it.如果您确实需要, Identity Aware Proxy可以提供。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.