how to add a service account security definition in openapi yml file

1
votes

I want to add a security definition to an API to run it in the google cloud scheduler (using OIDC token, and a service account).My openapi.yml looks like this

"/common/test":
    post:
      description: "test"
      operationId: "test"
      responses:
        200:
          description: "Success"
        400:
          description: "Fail"
      security:
        - service_account: []  

securityDefinitions:
      service_account:
        authorizationUrl: ""
        flow: "implicit"
        type: "oauth2"
        x-google-issuer: "xx@example.iam.gserviceaccount.com"
        x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/xx@example.iam.gserviceaccount.com"

but it fails when I called this API via cloud scheduler(using OIDC token, and a service account(xx@example.iam.gserviceaccount.com)). log view says unauthorized 401. How can I fix this error.

{httpRequest: {status: 401} insertId: "1r9kx9lf2jy71o" jsonPayload: { @type: "type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished" jobName: "projects/project-xxx/locations/us-central1/jobs/test" status: "UNAUTHENTICATED" targetType: "HTTP" url: "https://project-xxx.appspot.com/common/test/"} logName: "projects/project-xxx/logs/cloudscheduler.googleapis.com%2Fexecutions" receiveTimestamp: "2020-01-06T06:30:01.000238320Z" resource: { labels: {…} type: "cloud_scheduler_job" }severity: "ERROR" timestamp: "2020-01-06T06:30:01.000238320Z"}
1
google-cloud-platformopenid-connectgoogle-authenticationopenapigoogle-cloud-scheduler
In the past I tried something similar with cloud functions and the authentication part was pretty vague. I suggest you debug it in the following way: 1) capture the OIDC sent by the scheduler (use ngrock or log it somehow) 2) try to perform an authenticated call using postman/curl following the jwt creation steps: cloud.google.com/endpoints/docs/openapi/… - I have a doubt that maybe the auth method are not compatible. Before doing that, be sure you deployed the openid spec correctly also.Pievis
Does your service account has the proper roles to perform actions? Make sure that it has the Cloud Scheduler Agent role and the Cloud Functions Invoker role on it as the error seems to be due to permissions. Aside from this, having the full status response you are getting would be helpful in order to give more advicersalinas
@rsalinas I added the strackdriver log in the post.Rebecca Wijesooriya
Are you using ESP? If so, the request maybe rejected by ESP. you can turn on debug by adding ESP start up flag --enable_debug in your GKE deployment yaml file. And look at /var/log/nginx/error.log in the ESP containerWayne Zhang

1 Answers

0
votes

OIDC (openConnectId) tokens, from Cloud Scheduler, are not compatible with Oauth2 authorization. OpenAPI v3 has added support for OIDC tokens.