stackoom
  简体   繁体   中英

HTTP requests from compute engine to app-engine standard with compute engine default service account

 原文  2018-06-05 14:18:22       google-app-engine/ go/ oauth/ google-compute-engine

Question

We want to make secure HTTP requests from compute engine to appengine standard, which authenticate using the Appengine Users API

Users API: https://cloud.google.com/appengine/docs/standard/go/users/

GAE standard handler (secured with Users Api - login: required): 

handlers:
- url: /securehandler/.*
  script: _go_app
  login: required
  secure: always

We tried using this library to make an authenticated HTTPS request from our compute engine Go application to the above GAE handler:

https://godoc.org/golang.org/x/oauth2/google#ComputeTokenSource 

client := &http.Client{
    Transport: &oauth2.Transport{
        // Fetch from Google Compute Engine's metadata server to retrieve
        // an access token for the provided account.
        // If no account is specified, "default" is used.
        Source: google.ComputeTokenSource(""),
    },
}
client.Get("https://myapp.appspot.com/securehandler/search")

We get a 403 Forbidden HTTP error.

Our default compute engine service account has App Engine Admin & Editor permissions in IAM.

Google support told us we should be able to make requests to GAE standard handlers with the default compute engine service account.

Thanks

1 answers

solution1
 2  2018-06-05 16:56:26

When making secure HTTP requests from Compute Engine to App Engine app, you have to make use of a user authorization flow [1], because you want users in GAE app to grant access to requests coming from GCE. The App Engine Users API works just for apps running on App Engine platform. I assume yours runs on a GCE instance.

HTTP requests coming from other GCP services such as GCE in this case need to be routed directly, where the URL includes the name or ID of a resource [2].

eg 

http://[VERSION_ID].[SERVICE_ID].[MY_PROJECT_ID].appspot.com

https://[VERSION_ID]-dot-[SERVICE_ID]-dot-[MY_PROJECT_ID].appspot.com)

Take a look at this documentation to know how to provide access scope in your requests to the user information your app requires [3].

Hope this helps point in the right direction.

[1] https://cloud.google.com/compute/docs/api/how-tos/authorization

[2] https://cloud.google.com/appengine/docs/standard/go/communicating-between-services

[3] https://cloud.google.com/compute/docs/api/how-tos/authorization#user_auth_flow

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Deploying App Engine Flex from Compute Engine with service account HTTP requests from Google Compute Engine to Appengine Standard URL Fetch Google Compute Engine from App Engine (Standard Env) How to restrict compute engine to accept requests only from app engine Access compute engine from app engine Passing Data from App Engine to Compute Engine Google app engine service account to start Cloud Compute instances Allow App Engine Standard Environment to connect to Compute Engine Mysql Google App Engine redirect outgoing requests to Compute Engine proxy How to connect to Google Compute or Kubernetes Engine from App Engine?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM