I want to deploy a micro service on cloud run, using gRPC to communicate with it. I have set up the service and gotten it to work using insecure channels but I am a bit confused by the documentation when it comes to authentication.
I am not experienced with security and authentication, so I would greatly appreciate if someone could outline the steps needed to set up a secure gRPC channel served on cloud run. Will be running this in python.
Some concrete questions that have popped up
- Is authentication done with only oidc (as I understand it from the docs), or do you need both oidc and ssl (is this what they refer to as call and channel credentials?)?
- Do I make the server secure or insecure? Seems like some threads make the server insecure and then I guess the authentication would be done between client and google?
- How to you handle ssl certificates on cloud run? Do you need to generate them yourself and if so, do you store them in the docker image?
Thanks in advance
CodePudding user response:
You run gRPC over HTTP/2 and for HTTP/2 you typically secure it using a TLS certificate (Same as for plain HTTPS).
Authentication is done either through tokens/keys or client certificates or what ever you like. For tokens/keys, you typically provide as an authentication header in HTTP/2. (similar to HTTP/1.1)
For HTTPS to work, you need a valid certificate, typically issued in the cloud using LetsEncrypt.
gRPC is like any other HTTP request (but over HTTP/2)
CodePudding user response:
Cloud Run injects a proxy as a sidecar to your deployed container.
The service will always be secured with TLS.
TLS-based auth can be used to authenticate the client and the server to each other but does not authenticate the user of the client for that you will need to use an additional mechanism.
If you permit unauthenticated, anything can invoke your service. If you require authenticated, the service will expect an authorization token (an identity token) to authenticate.
You can use Google identities to authenticate but these will need to be suitably permitted (e.g. invoker) members of the project and you will need to use a JWT (using the Cloud Run service's endpoint as its audience) that the client exchanges for the identity token. This is documented in the link you included: https://cloud.google.com/run/docs/authenticating/service-to-service
Another, more complex but more flexible approach is to use Firebase Auth to support federated authentication (e.g. Google, Microsoft, Facebook accounts) and Cloud Endpoints (another proxy) to authenticate. Using this approach, you will need to implement an authorization service too to determine what role an authenticated user has: https://cloud.google.com/endpoints/docs/grpc/authenticating-users