1

I am implementing micro-services on google app engine standard environment. I need to call one micro-service from another using URLfetch. For this I have to have some authentication mechanism in place so that only micro-service in the same project can only call this api.

It can be achieved using task queues but that is not useful for my scenario.

I followed this link (How to secure connection between different GAEs?) and If we verify X-Appengine-Inbound-Appid headers then this can be achieved. I am curious if we make this further more secure using service accounts.

Below links have reference to do it https://cloud.google.com/appengine/docs/standard/python/communicating-between-services https://cloud.google.com/docs/authentication/production

but did not find clear instructions to achieve it. Anyone is using this approach for authentication?

Abhilasha
  • 1,177
  • 4
  • 10
  • 17

2 Answers2

0

This link [1] that you mentioned has clear instructions along with code examples in Python (click the Python tab) to achieve your objective. The documentation shows how to create a service account, assign it a role with the associated permissions, and providing the credentials to your application.

The code examples showcase how you can have an App interact with the Cloud Storage micro-service. If you get an error while following the examples, please provide the error details.

[1] https://cloud.google.com/docs/authentication/production

PYB
  • 503
  • 6
  • 20
  • Hi, Thanks for reply. To be sure - to communicate between two micro services within same app engine project can we use signed message with our private key ?? https://cloud.google.com/appengine/docs/standard/python/appidentity/#asserting_identity_to_third-party_services – Abhilasha Aug 27 '19 at 17:50
  • The link you provided refers to a proprietary App Engine API, which are not available with Python 3. The authentication processes are therefore different, and rely on managed services instead. This link [1] explains those differences. Are you using Python 2 or 3? [1] https://cloud.google.com/appengine/docs/standard/python3/python-differences#changes_to_the_app_engine_standard_environment – PYB Aug 28 '19 at 00:19
  • I am using python2 but soon will move to python3. Is there a way that is applicable for both of them? So that I do not have to do refactoring again for python3. – Abhilasha Aug 28 '19 at 05:08
  • Setting the environment variable GOOGLE_APPLICATION_CREDENTIALS will work for both [1]. The way you then refer to that variable will be different for both though, depending on which services you want to connect your App Engine instances to. Please note that Python 2.7 will be deprecated on January 1st, 2020 [2]. [1] https://cloud.google.com/docs/authentication/production#setting_the_environment_variable [2] https://www.python.org/dev/peps/pep-0373/ – PYB Aug 28 '19 at 21:35
0

One option would be to enable Cloud Identity-Aware Proxy (IAP) for your App Engine applications. You can then authenticate programmatically using a service account. This would allow one App Engine app to call another protected by IAP in an authenticated manner.

Tyler Treat
  • 14,640
  • 15
  • 80
  • 115