We're starting to migrate our GCP VMs to Google Cloud Object Storage, and I have noticed when running gcloud init or testing basic Storage access from our application it seems to connect to accounts.google.com which is an internet site.
It's our security policy to disallow all outbound internet access by default, with the idea that all calls to google should go leverage Google Private Access. Indeed the storage call itself uses https://storage.googleapis.com which resolves to the private 199.36.153.8/30 address block.
We have built a proxy for situations where Internet HTTP/HTTPS access is required (such as getting updates from 3rd party software), and while the application does support use of a proxy, it's an "all or nothing" configuration. Thus, all storage traffic would go via the proxy server which we don't want for a variety of reasons.
Is there any way to get around the accounts.google.com dependency when accessing GC storage?
Update December 2020:
I'm banned from posting replies on StackOverflow, but wanted to share that after a couple weeks of going back and forth with Google Support, I was informed this has already been logged as a undesirable behavior and is on the roadmap to change sometime in 2021.
googleapis.com
. User accounts use Google Accounts endpoints.Even though the IP addresses for Google APIs and services are public, the traffic path from instances that are using Private Google Access to the Google APIs remains within Google's network.
– John Hanley