README
¶
Cloud Run Proxy
An App Engine app that is a reverse proxy for a Cloud Run service.
Deployment
Create an app.yaml file as described in crproxy.go. Then run
gcloud app deploy
Testing
Use gcloud's dev_appserver.py or deploy to a separate environment.
Auth
Authentication is done by the IAP (Identity-Aware Proxy). It should be restricted to members who need to access the Cloud Run service.
Since IAP does not allow fine-grained access control, this app implements a simple path-based authorization scheme described in auth.go. The ACLs for this scheme are stored in the default Firestore database in the auth collection. Modify the auth mappings when the set of users or URL paths changes.
When a user is added or removed, edit the "auth/users" Firestore document. Adding a user involves adding a new field with the user's email address. The value of the field is the user's role:
- "reader" for read-only access.
- "writer" for the ability to make changes, like setting the log level.
- "admin" for access to all paths.
The default is "reader", so users with reader access don't need to be added.
Adding a path involves editing the "auth/paths" Firestore document. The new field's name is the path, and the value is the minimum user role that can access the path. The default minimum is "admin". Use "reader" for paths that only read information, "writer" for paths that change the service's state, and "admin" for paths that make serious changes.
Documentation
¶
Overview ¶
Crproxy is an AppEngine service that proxies requests to a Cloud Run service.
The app.yaml for this service should specify two environment variables: CLOUD_RUN_HOST, the hostname of the Cloud Run service; and JWT_AUDIENCE, the JWT audience code for the App Engine service, which can be found on https://console.corp.google.com/security/iap in the dropdown menu to the right of the App Engine row.
An example of a complete app.yaml is:
runtime: go122
env_variables:
CLOUD_RUN_HOST: my-cloud-run-service.run.app
JWT_AUDIENCE: my-jwt-audience
Source Files