How can two internal Cloud Run node.js microservices successfully communicate via gRPC?

Question

New to Google Cloud Run and trying to have two node.js microservices communicate internally via gRPC.

The client interface:

constructor(address: string, credentials: grpc.ChannelCredentials, options?: object);

The client code:

const client: MyClient = new MyClient('my-service-abcdefgh3a-ew.a.run.app:443', grpc.credentials.createSsl());

The server code:

const server = new grpc.Server();
server.addService<IMyServer>(MyService, new MyServer());
server.bind(`0.0.0.0:${process.env.PORT}`, grpc.ServerCredentials.createInsecure());
server.start();

The server is set to listen to 443.

The above seems to work when the service is open to public requests but doesn't work when you have the server set as internal. Any ideas?

This is also documented in https://cloud.google.com/run/docs/triggering/grpc#request-auth. In a nutshell you need to provide `Authentication` header on outgoing RPCs (headers in gRPC are called "metadata"). — ahmet alp balkan, Aug 24 '20 at 23:35

score 3 · Accepted Answer · answered Aug 24 '20 at 20:49

You have to add the credentials in the request metadata. Here an example

...
 // Create a client for the protobuf spec
  const client = new protoObj.Greeter(HOST, grpc.credentials.createInsecure());

  // Build gRPC request
  const metadata = new grpc.Metadata();
  metadata.add('authorization', `Bearer ${JWT_AUTH_TOKEN}`);

  // Execute gRPC request
  client.sayHello({name: GREETEE}, metadata, (err, response) => {...

Second question, how to get the JWT_AUTH_TOKEN. Here the documentation of Cloud Run to do this. But not completely, simply get the token and use it in the metadata of the request

...
request(tokenRequestOptions)
  .then((token) => {
  // add the token to the metadata
  });

// Make the call
...

How can two internal Cloud Run node.js microservices successfully communicate via gRPC?

1 Answers1