问题描述

我有一个简单的Spring Boot服务'say-hi'来接受/say-hi下的GET请求并返回'hello'.它部署在托管的Cloud Run中.假设我不想向公众开放.现在我想做两件事:1.允许开发人员(我本人)访问"say-hi"2.允许Cloud Run之外的另一个Spring Boot服务能够调用"say-hi"

I have a simple Spring Boot service 'say-hi' to take GET request under /say-hi and return 'hello'. It's deployed in managed Cloud Run. Suppose I don't want to open it to the general public. Now I wanted to do two things:1. allow developer (I myself) to access 'say-hi'2. allow another Spring Boot service outside of Cloud Run be able to make the call to 'say-hi'

对于我的目标1:

奇怪的是curl命令不起作用，但是Insomnia可以正常工作.基本上，我遵循文档，我将Google帐户添加到角色/运行.invoker，但curl命令显示网络不可访问:
curl -H授权:承载$(gcloud auth print-identity-token)" http://say-hi-0-1-0-q6g2cgbzna-ew.a.run.app:8080/say-hi-v 错误:

Weird thing is that curl command doesn't work, but Insomnia works fine. Basically, I followed the doc, I added my google account to roles/run.invoker, but the curl command says Network is unrechable:
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" http://say-hi-0-1-0-q6g2cgbzna-ew.a.run.app:8080/say-hi -vErrors:

*   Trying 216.239.36.53...
*   Trying 2001:4860:4802:36::35...
* Immediate connect fail for 2001:4860:4802:36::35: Network is unreachable
*   Trying 2001:4860:4802:36::35...
* Immediate connect fail for 2001:4860:4802:36::35: Network is unreachable
*   Trying 2001:4860:4802:36::35...
* Immediate connect fail for 2001:4860:4802:36::35: Network is unreachable

但是，如果我分别运行 gcloud auth print-identity-token 来首先获取令牌，然后从Insomnia客户端发送GET请求，则该方法有效...我想知道为什么.

However, if I run gcloud auth print-identity-token separately to get the token first and then sent the GET request from Insomnia client, it works... I'm wondering why...

对于我的目标2 我假设在正确的会话上进行查看此处.这是否意味着如果我想从Cloud Run管理的外部(从我自己的笔记本电脑和其他GKE实例中)访问"say-hi"，我需要为我的项目启用IAP吗?如果可以，如何将云运行与IAP集成?

For my goal 2I assume the right session to look at it here. Does this mean if I wanted to access 'say-hi' from outside of Cloud Run manged (both from my own laptop and from other GKE instances), I need to have IAP enable for my project? if yes, how to integrate cloud run with IAP?

推荐答案

经过一整天的搜索和阅读.最终获得一个工作版本.服务到服务认证的给定文档Google Cloud Run提供的信息确实误导了我使用IAP，并且此处的代码剩下几个地方不清楚.原来是打电话给Cloud Run服务，我根本不需要IAP.非常感谢我在其中抢过的博客解决方案.

After a long day of searching and reading. Finally get a working version. The given doc of service-to-service authentication given by Google Cloud Run was really misleading me towards IAP, and the code here left a few places unclarified. Turned out to call Cloud Run service, I didn't need IAP at all. Big thanks to this blog where I grabbed the solution from.

  @PostMapping(value="/call-say-hi")
  public ResponseEntity<String> callSayHi() throws URISyntaxException, IOException {

    ServiceAccountCredentials serviceAccountCredentials =
        ServiceAccountCredentials.fromStream(new FileInputStream(SERVICE_ACCOUNT_JSON_KEY_PATH));
    serviceAccountCredentials.createScoped(IAM_SCOPE);
    IdTokenCredentials idTokenCredentials = IdTokenCredentials.newBuilder()
                                            .setIdTokenProvider(serviceAccountCredentials)
                                            .setTargetAudience(TARGET_AUDIENCE)
                                            .build();
    GenericUrl genericUrl = new GenericUrl(TARGET_AUDIENCE+"/say-hi");
    HttpCredentialsAdapter adapter = new HttpCredentialsAdapter(idTokenCredentials);
    HttpRequest request = httpTransport.createRequestFactory(adapter).buildGetRequest(genericUrl);
    request.setThrowExceptionOnExecuteError(false);
    HttpResponse response = request.execute();
    String r = response.parseAsString();
    System.out.println(r);
    return ResponseEntity.status(HttpStatus.OK).body(r);
  }

其中TARGET_AUDIENCE是已部署的Cloud Run服务URL

Where the TARGET_AUDIENCE is the deployed Cloud Run service URL

这篇关于如何从Cloud Run/GCP的外部调用Cloud Run?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！