I currently have a ReactJS frontend deployed as a service on Google App Engine (GAE), while my Flask backend API service is deployed on Google Cloud Run.

I made these choices to stay in the free tier while having reasonable limits. As my project was in a test phase, I had just been using the Cloud Run URL to make all my requests from the frontend. However, it is now time for me to make my Cloud Run API instance private and only let requests from my frontend in GAE be served.

I tried some Cloud Run Invoker permissions on the appspot service account but I was unable to make it work. I keep getting 403 forbidden errors on my frontend. I am unsure on how to proceed, as there is no documentation available on connecting GAE and Cloud Run.

CodePudding user response：

Here's an example, in Python 3, which should work from App Engine, or any other GCP environment with default credentials (Cloud Functions, Cloud Run, Compute Engine, GKE). It will also work from outside of GCP with a service account key in GOOGLE_APPLICATION_CREDENTIALS:

id_token = google.oauth2.id_token.fetch_id_token (
    google.auth.transport.requests.Request (),
    "https://example-7cligfcyiq-oa.a.run.app")
response = requests.get (
    "https://example-7cligfcyiq-oa.a.run.app/some/resource",
    headers = { "Authorization": "Bearer %s" % id_token })

CodePudding user response：

From your description of front end static pages calling Cloud Run directly. There are 2 key flags in Cloud Run that will apply here
--ingress= - if you specified internal or internal-and-cloud-load-balancing it will never work
--no-allow-unauthenticated - if you specified this, every user will need to be granted their own access and provide their own bearer token
It is a much better design to just use App Engine the way it was intended, and use the back end of App Engine directly