I am developing an application where i have hosted the frontend in cloud run: public access, no authentication
Another cloud run service has the backend. This requires authentication and is not open to public.
Ofcourse, if I disable authentication on backend service, everything works smoothly.
Is it possible to access the backend with authentication enabled from the frontend cloud run service?
Both the services are in the same serverless VPC.
As captured in the official doc, frontend can securely and privately invoke backend by leveraging the Invoker IAM role:
frontend to backend, you must attach an identity token to the request, see here for code examplesTo connect two Cloud Run applications privately, you need to obtain an identity token, and add it to the Authorization header of the outbound request of the target service. You can find documentation and examples here.
For Cloud Run service A (running with service account SA1) to be able to connect to private Cloud Run service B, you need to:
Update IAM permissions of service B to give SA1 Cloud Run Invoker role (roles/run.invoker).
Obtain an identity token (JWT) from metadata service:
curl -H "metadata-flavor: Google" \
http://metadata/instance/service-accounts/default/identity?audience=URL
where URL is the URL of service B (i.e. https://*.run.app).
access the backend with authentication enabled from the frontend cloud runlost me. What is your front-end cloud run? Can you describe it? – guillaume blaquiere