Secure Cloud Scheduler App Engine route with X-Cloudscheduler

[James Watkinson]

I've setup Cloud Scheduler to GET an App Engine route with no issues - but the documentation is lacking (in general), but mostly on how to secure it. It mentions "login: admin" in app.yaml, but I'm pretty sure that is deprecated in most new Standard Environments.

I tested briefly the request and have seen X-Cloudscheduler:true as a header, knowing that App Engine strips all "X-" headers, can this be relied on? If so, can it be added to the documentation.

Thanks,

[Olu]

According to Cloud Scheduler documentation [1--See the App Engine HTTP], App Engine endpoints can be secured with "login:  admin" in the app.yaml file. While I understand that the admin login feature is not available for some environments and not documented for some of the App Engine Standard Language Runtimes, certainly it is not available for App Engine flex, I do not have any information about the deprecation. At the least, I have no documentation that confirms that at this point.

About the use of X-Cloudscheduler:true as a header, following internal tests completed on various types of requests, this may somewhat be relied upon to filter requests for some of the cases. However, in one of the tests done in the past for requests, we found the use flawed. Since using the X-Cloudscheduler:true as a header may not be viable for all cases(at least, from our internal tests in the past), I believe this may be the reason why the documentation has not been duly updated.

[1]https://cloud.google.com/scheduler/docs/creating#creating_jobs

[James Watkinson]

Thanks Olu for testing, 

Could you provide the scenario in which the header was not presented? Can you also raise a ticket to get this fixed / added to all Cloud Scheduler requests? 

login: admin is not available in Python 3.7 App Engine environment App.yaml reference: https://cloud.google.com/appengine/docs/standard/python3/config/appref

[Olu]

 Actually, the test was done on another Customer's setup in the past. You can be sure that the Internal Cloud Scheduler engineers are aware of this usage. In fact, there is an Internal Feature request with the Cloud Scheduler team for the use of these headers. 

At the moment, Our recommendation is to use these headers for informational purposes rather than using it for Security.