HTTP requests from compute engine to app-engine standard with compute engine default service account

1
votes

We want to make secure HTTP requests from compute engine to appengine standard, which authenticate using the Appengine Users API

Users API: https://cloud.google.com/appengine/docs/standard/go/users/

GAE standard handler (secured with Users Api - login: required): 

handlers:
- url: /securehandler/.*
  script: _go_app
  login: required
  secure: always

We tried using this library to make an authenticated HTTPS request from our compute engine Go application to the above GAE handler:

https://godoc.org/golang.org/x/oauth2/google#ComputeTokenSource

client := &http.Client{
    Transport: &oauth2.Transport{
        // Fetch from Google Compute Engine's metadata server to retrieve
        // an access token for the provided account.
        // If no account is specified, "default" is used.
        Source: google.ComputeTokenSource(""),
    },
}
client.Get("https://myapp.appspot.com/securehandler/search")

We get a 403 Forbidden HTTP error.

Our default compute engine service account has App Engine Admin & Editor permissions in IAM.

Google support told us we should be able to make requests to GAE standard handlers with the default compute engine service account.

Thanks

1
google-app-enginegooauthgoogle-compute-engine

1 Answers

2
votes

When making secure HTTP requests from Compute Engine to App Engine app, you have to make use of a user authorization flow [1], because you want users in GAE app to grant access to requests coming from GCE. The App Engine Users API works just for apps running on App Engine platform. I assume yours runs on a GCE instance.

HTTP requests coming from other GCP services such as GCE in this case need to be routed directly, where the URL includes the name or ID of a resource [2].

e.g

http://[VERSION_ID].[SERVICE_ID].[MY_PROJECT_ID].appspot.com

https://[VERSION_ID]-dot-[SERVICE_ID]-dot-[MY_PROJECT_ID].appspot.com)

Take a look at this documentation to know how to provide access scope in your requests to the user information your app requires [3].

Hope this helps point in the right direction.

[1] https://cloud.google.com/compute/docs/api/how-tos/authorization

[2] https://cloud.google.com/appengine/docs/standard/go/communicating-between-services

[3] https://cloud.google.com/compute/docs/api/how-tos/authorization#user_auth_flow