如何从Cloud Run / GCP的外部调用Cloud Run?

时间:2020-05-04 20:52:41

标签: google-cloud-run google-iap

我有一个简单的Spring Boot服务'say-hi'来接受/ say-hi下的GET请求并返回'hello'。它部署在托管的Cloud Run中。假设我不想向公众开放。现在我想做两件事: 1.允许开发人员(我本人)访问“ say-hi” 2.允许Cloud Run之外的另一个Spring Boot服务能够调用“ say-hi”

对于我的目标1:

奇怪的是curl命令不起作用,但是Insomnia可以正常工作。基本上,我遵循the doc,我将自己的Google帐户添加到role / run.invoker,但是curl命令显示Network is rechchable:
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" http://say-hi-0-1-0-q6g2cgbzna-ew.a.run.app:8080/say-hi -v 错误:

*   Trying 216.239.36.53...
*   Trying 2001:4860:4802:36::35...
* Immediate connect fail for 2001:4860:4802:36::35: Network is unreachable
*   Trying 2001:4860:4802:36::35...
* Immediate connect fail for 2001:4860:4802:36::35: Network is unreachable
*   Trying 2001:4860:4802:36::35...
* Immediate connect fail for 2001:4860:4802:36::35: Network is unreachable

但是,如果我分别运行gcloud auth print-identity-token来首先获取令牌,然后从Insomnia客户端发送了GET请求,则该方法有效...我想知道为什么...

对于我的目标2 我假设进行正确的讨论here。这是否意味着如果我想从Cloud Run管理的外部(从我自己的笔记本电脑和其他GKE实例中)访问“ say-hi”,我需要为我的项目启用IAP吗?如果可以,如何将云运行与IAP集成?

1 个答案:

答案 0 :(得分:2)

经过一整天的搜索和阅读。最终获得一个工作版本。 Google Cloud Run给出的service-to-service authentication给出的文档确实使我误以为是IAP,the code here留下了一些不清楚的地方。原来是给Cloud Run服务打电话的,我根本不需要IAP。非常感谢this blog从这里获取解决方案。

  @PostMapping(value="/call-say-hi")
  public ResponseEntity<String> callSayHi() throws URISyntaxException, IOException {

    ServiceAccountCredentials serviceAccountCredentials =
        ServiceAccountCredentials.fromStream(new FileInputStream(SERVICE_ACCOUNT_JSON_KEY_PATH));
    serviceAccountCredentials.createScoped(IAM_SCOPE);
    IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
                                            .setIdTokenProvider(serviceAccountCredentials)
                                            .setTargetAudience(TARGET_AUDIENCE)
                                            .build();
    GenericUrl genericUrl = new GenericUrl(TARGET_AUDIENCE+"/say-hi");
    HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(idTokenCredentials);
    HttpRequest request = httpTransport.createRequestFactory(adapter).buildGetRequest(genericUrl);
    request.setThrowExceptionOnExecuteError(false);
    HttpResponse response = request.execute();
    String r = response.parseAsString();
    System.out.println(r);
    return ResponseEntity.status(HttpStatus.OK).body(r);
  }

其中TARGET_AUDIENCE是已部署的Cloud Run服务URL

相关问题
最新问题