Cloud Run Authenticating end-users of a CLI

0
votes

We are porting an existing API to Cloud Run and would like to make use of the built in IAM authentication features. This means generating a signed JWT for use as an Authorization Bearer token. There is documentation that describes how to do this for iOS, Android, and Web. However, it's not clear what the best approach for a CLI running on a user's local machine is.

What we have done in the past is use a Google user's local credentials to authorize with the API (using Default Application Credentials), but it's not clear to me how to generate the appropriate access_id from within Go. This only seems possible with a Service Account type. Not a Authorized User type. The only way I've been able to obtain a valid access_id is by using the gcloud command.

gcloud config config-helper --format json

Other than shelling out to the above command, is there a more appropriate method for generating user credentials in a CLI for authorizing with a Cloud Run hosted service?

1
google-cloud-platformgoogle-cloud-run
Can you link to "Authorized User" type you mentioned in the question. I don't quite understand what it means.Ahmet Alp Balkan

1 Answers

0
votes

Cloud Run uses Oauth 2.0 (OIDC) Identity Tokens for authorization. This is supported for both user accounts and service accounts. Where you would have used an OAuth Access Token in the authorization: bearer token header, use the Identity Token.

To experiment, you can generate Identity Tokens with this command:

gcloud auth print-identity-token

With Cloud Run you will need to specify the audience value for the Identity Token. Details in the links below.

Here are some additional links to help you get started:

Articles that I wrote on Cloud Run Identity:

Google Cloud Run - Identity

Google Cloud – Go – Identity Based Access Control

Google Cloud Run Documents:

Google Cloud Run Service Identity

Google Cloud Run Authenticating end users