We want to make secure HTTP requests from compute engine to appengine standard, which authenticate using the Appengine Users API
Users API: https://cloud.google.com/appengine/docs/standard/go/users/
GAE standard handler (secured with Users Api - login: required):
handlers:
- url: /securehandler/.*
script: _go_app
login: required
secure: always
We tried using this library to make an authenticated HTTPS request from our compute engine Go application to the above GAE handler:
https://godoc.org/golang.org/x/oauth2/google#ComputeTokenSource
client := &http.Client{
Transport: &oauth2.Transport{
// Fetch from Google Compute Engine's metadata server to retrieve
// an access token for the provided account.
// If no account is specified, "default" is used.
Source: google.ComputeTokenSource(""),
},
}
client.Get("https://myapp.appspot.com/securehandler/search")
We get a 403 Forbidden HTTP error.
Our default compute engine service account has App Engine Admin & Editor permissions in IAM.
Google support told us we should be able to make requests to GAE standard handlers with the default compute engine service account.
Thanks
When making secure HTTP requests from Compute Engine to App Engine app, you have to make use of a user authorization flow [1], because you want users in GAE app to grant access to requests coming from GCE. The App Engine Users API works just for apps running on App Engine platform. I assume yours runs on a GCE instance.
HTTP requests coming from other GCP services such as GCE in this case need to be routed directly, where the URL includes the name or ID of a resource [2].
eg
http://[VERSION_ID].[SERVICE_ID].[MY_PROJECT_ID].appspot.com
https://[VERSION_ID]-dot-[SERVICE_ID]-dot-[MY_PROJECT_ID].appspot.com)
Take a look at this documentation to know how to provide access scope in your requests to the user information your app requires [3].
Hope this helps point in the right direction.
[1] https://cloud.google.com/compute/docs/api/how-tos/authorization
[2] https://cloud.google.com/appengine/docs/standard/go/communicating-between-services
[3] https://cloud.google.com/compute/docs/api/how-tos/authorization#user_auth_flow
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.