How to auth between two services using Google Cloud Service Account

2
votes

I have two services running on Google Compute Engine. The services are written in Go. Each of the services has separate GCP service account. Can I use this service account to authenticate one service when calling the another one? Is there an API suitable for it?

I do not know how to verify the identity of the access token? As pointed in one of the answers I cannot add custom permissions (role+resource) to GCP IAM.

There is a ton of documentation about authenticating Google Cloud Platform API calls but nothing about using service accounts to secure own endpoints.

The point is, I don't want to manage separate set of permissions one for service account and another one in KeyCloak or other system.

1
google-cloud-platformgoogle-compute-enginegoogle-authentication
Yes, using a Google Service Account for authorization is common. What problem are you having? Using a service account, create an OAuth Access Token. Include this token in the HTTP Authorization header. Verify token on the other side.John Hanley
I guess I misinterpreted Access Tokens, I've through they are on a behalf of a user, in my case service A is using service B without user initiating the action (let's say it's a cron job).Paweł Szczur
More details on your design, language, etc is required. There are three types of OAuth Tokens. Access, Refresh and Identity. You are interested in Access or Identity. Generally, Access Tokens are just fine for your use case.John Hanley
In secure systems, as in you control both ends, using Signed JWT is similar to using a service account. In fact a service account Access Token is derived from a Signed JWT. One side signs the JWT with a private key and the other side verifies the signature with the public key. You can then embed information into the JWT before signing.John Hanley
In Google Cloud and most other systems, an Access Token is either a Signed JWT or an opaque token that represents a Signed JWT. OAuth has several grant types. User Credentials and Service Accounts are examples of inputs for different grant types. The Access Token is similar for both methods. It is the issuer (Google in this case) that determines what they represent and what they can be used for. In your case, you don't care about permission.John Hanley

1 Answers

1
votes

but nothing about using service accounts to secure own endpoints.

I'm not sure to understand what do you want to perform. You can you the capabilities of a service account for you own checks.

For making simpler, a service account is a private key and an email to identify the caller. You can build a signed token with these information on the caller side.

On the receiver side, you can take this token, validate the signature and extract the email of the caller service account. If it's OK, your call is authenticated!

If you want to check authorization, you have to check if it has right on your application. You can't have custom GCP permission, by the way you have to handle on the receiver side a database of permission per email (user or service account).