Google Cloud Run communication between internal services

Question

I have 2 cloud run services:

https://calculator-api.a.run.app (Ingress: Allow all traffic, Authentication: allUsers)
https://add-api.a.run.app (Ingress: internal, Authentication: CloudIAM)

The idea is that calculator-api is public and it's going to make requests to add-api. For some reason, I am getting a 403 when the add-api ingress is internal but if I change the ingress to to Allow all traffic, it works perfectly.

I am getting the IdToken correctly using the following code and then I just inject the token in the header Authorization: Bearer IdToken. My receiver add-api has permission of calculator-api with Cloud Run Invoker role.

GET request "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://add-api.a.run.app"

Header: {"Metadata-Flavor", "Google"}

So, I believe the problem is not the authentication but some kind of network limitation when the ingress is set to internal.

May I know if both services are on the same VPC network? Have you configured a Serverless VPC connector on your service? Please see this doc cloud.google.com/run/docs/securing/ingress#internal-services — Dondi

guillaume blaquiere guillaume blaquiere · Accepted Answer · 2021-02-24T14:20:48

You need to create a serverless VPC connector in the same region as your calculator-api service and to add it to your calculator-api service and to set the egress value to all

The constraint for now is: the 2 services must be in the same project (or you need to perform VPC peering to achieve this)

Google Cloud Run communication between internal services

1 Answers