We plan to build a web client (Angular) for our project. Our Backend will be a lot of google cloud run services. How can we make sure that these services can only be called by this web application? I understand that there are Service Account, which I can use to limit access to Cloud Run services, but how do I do that in a purely JavaScript application and without a logged in user. I just want to authenticate the application not the user. Any advise or samples?
0
votes
When you say "Javascript", you mean a website? Or a backend in Node? Do you know the users beforehand? If so, do they have a Google account?
– guillaume blaquiere
Yes, I mean a website and yes I know the users, but the question is can I restrict access to the run services even before a user logs in. So only allow this webclient is allowed to access the services at all. Is there something like "application authorization" before I do authentication. To make this simpler, can I somehow assign a service account to a website and this service account has the role "service invoker" on my service. So only a website with this service is account can call my run service.
– Salendron
1 Answers
0
votes
TL;DR: The application authentication and authorization level is managed by service account. But putting a service account key file in your Javascript app (and thus viewable by any user in their browser) is useless because your secret becomes public!
With Cloud Run, you have 2 mode: private and public
If public, no security, all the requests go to your Cloud Run service
If private, Google Front End check the identity of the requester and if they have the run.invoker permission. If so, the request pass through, else it's blocked.
For being authenticated, today, you need a service account. If you aren't on Google Cloud Platform (here in the browser of the users for example), you need a service account key file. But, if you put it in your website, it's not secure because anyone can take it and use it outside your website.
So, today, you can't do this: Either your Cloud Run is public, without any check, or private with authentication (and IAM authorization)
But, soon, at least in 2020 I hope, you should be able to put a load balancer in front of Cloud Run and to activate IAP on it. Thus, the users will be authenticated thanks to their Google account authentication cookie (SSO). However, in private mode in your browser, the user will be asked for being authenticated before going to the website. It's not authentication free, it's just authentication not manage by your own.
