1

I have a rest API hosted in Google App Engine. (API lives in a Docker container in the Flexible environment).

I need to support only internal API calls (from another service in the same App Engine Project) and for developer testing be able to call it directly (I don't want user authentication, but I should be able to access it still using the application_default_credentials...I'm just unsure how)

Can you direct me to documentation or examples of how to set this up?
The Google documentation is very lacking.

north.mister
  • 500
  • 1
  • 7
  • 24
  • Somehow related (minus the cron-specific stuff), check out the 1st bullet in this [answer](https://stackoverflow.com/questions/45363766/cron-job-in-google-app-engine-not-working/45363938#45363938). I'm not actually using flex env, so YMMV. Worth a try, I'd say. – Dan Cornilescu Aug 03 '17 at 22:05
  • So while that does secure it (gives a 403 forbidden now), there isn't documentation on how to allow server to server communication. All the reading I've done suggests that setting `login: admin` will also require other servers to login as admin accounts. – north.mister Aug 04 '17 at 18:05
  • Hm, `login: admin` is supposed to allow access from the same GAE app (different services, for example)... But it won't allow other servers outside the app, so if you need that kind of access you need to re-consider the approach - pretty much you *have* to use authentication and you need to implement yourself the "internal" access control. Personally I'd drop the manual testing requirement, or rather funnel it through another service of the app itself somehow, so that I can keep the simpler `login: admin` solution. – Dan Cornilescu Aug 04 '17 at 18:23

1 Answers1

1

You have several options, including the following:

The App Engine documentation states that the recommended approach is OAuth for microservices that require authentication.

A second option is to use Cloud Endpoints with service account authentication.

Third, you can use Identity-Aware Proxy to secure the server. Clients can get an identity token from the metadata server.

John L
  • 26
  • 1
  • Haha, thanks for the reply (3 years later). We ended up going forward with Kubernetes and using an api gateway in front of that. – north.mister Oct 07 '20 at 05:33