3

I have a flask application deployed on Cloud Run on Anthos. The endpoint looks like this: http://example.<IP>.xip.io under service name military-govt-id. It was deployed successfully on a GKE cluster. Now I want to add Istio Authentication. The problem is that when I try to access the application with a service account with the proper role binding, it gives me an unauthorized access error. I have followed the documentation here [1] and looked through examples here [2], and also contacted Google Cloud Support for assistance. We have isolated the issue and it seems the authenticationpolicy.yaml file has not been properly written, but they and I don't know which fields are incorrect. Could someone provide assistance with this? We have tried many different combinations, and all of them give the same unauthorized access error when calling the API.

yaml file

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default
  namespace: api
spec:
  origins:
  - jwt:
      issuer: "https://securetoken.google.com"
      audiences:
      - "military-govt-id"
      jwksUri: "https://www.googleapis.com/oauth2/v3/certs"
      jwt_headers:
      - "x-goog-iap-jwt-assertion"
  principalBinding: USE_ORIGIN

[1] https://cloud.google.com/solutions/authorizing-access-to-cloud-run-on-gke-services-using-istio
[2] https://archive.istio.io/v1.2/docs/reference/config/istio.authentication.v1alpha1/#Jwt

Riley Hun
  • 2,541
  • 5
  • 31
  • 77
  • I believe that you may be missing some details in your `origins`, check out the following [GitHub repository](https://github.com/GoogleCloudPlatform/cloud-run-samples/blob/master/identity-platform/gke/istio/authenticationpolicy.template.yaml). The following [documentation](https://cloud.google.com/solutions/authenticating-cloud-run-on-gke-end-users-using-istio-and-identity-platform#add_an_istio_authentication_policy) can also give you an idea about creating an Istio authentication policy. – sllopis Apr 23 '20 at 12:13
  • The yaml itself looks fine to me, which makes me wonder what your requests look like? Did they have JWT in header `x-goog-iap-jwt-assertion`? Were they issued by "https://securetoken.google.com" and had audience "military-govt-id"? It would help if you can confirm that first. You can debug your JWTs at https://jwt.io/ – shou3301 Apr 23 '20 at 14:50
  • Ok - I took a look at the jwt.io and after pasting my JWT token, I can confirm that the payload looks good to me and has the fields that are specified in the authorization.yaml file. – Riley Hun Apr 23 '20 at 20:44
  • Sorry that didn't help. Maybe try https://archive.istio.io/v1.2/docs/ops/security/end-user-auth/ – shou3301 Apr 23 '20 at 21:25
  • Consider adding it as an answer :) – ahmet alp balkan Apr 23 '20 at 21:30

0 Answers0