Restrict access to AppEngine service to CloudScheduler and Tasks

[Vishwanath T R]

Hi 

  What's the best way to verify that the HTTP request came from CloudScheduler? I see that the requests have an X-CloudScheduler header when the scheduler issues the request. However I see that if I make a curl to the appengine endpoint from outside the project and specify the header "X-CloudScheduler: true" then the header is not stripped by appengine but instead converted to lower case. What is the recommended way for the AppEngine endpoint to verify that the cloud scheduler issued the call?


   Similarly whats the best way to verify that the HTTP request came from TaskService? Is checking for presence of X-AppEngine-TaskName header the recommended way to verify this (per https://cloud.google.com/appengine/docs/standard/java/taskqueue/push/creating-handlers#writing_a_push_task_request_handler)? 

Thanks
Vish

[rodriguezconde]

Hello,

I understand you would like to know how to identify HTTP requests coming from Cloud Scheduler and Cloud Task services. 

Regarding your different questions, I would like to answer them in an ordered manner so it is easier to understand.

> What's the best way to verify that the HTTP request came from CloudScheduler? What is the recommended way for the AppEngine endpoint to verify that the cloud scheduler issued the call?

Google Cloud Scheduler has two command line options that add additional headers to the request that your Cloud Scheduler makes. 

--oidc-service-account-email=<service_account_email>

--oidc-token-audience=<service_endpoint_being_called>

As a result, you can process it through your application to verify who is calling your endpoint. Further details can be found here [1] and you will also be able to find an example on how to verify an HTTP request coming from Cloud Scheduler. 

In conclusion, adding the different command line to add additional headers to be processed later by your application is the best way to identify or verify that HTTP requests are coming from Cloud Scheduler, as it is also mentioned here. [1] 

As for what's the best way to verify that the HTTP request came from TaskService? Is checking for presence of X-AppEngine-TaskName header the recommended way to verify this (per https://cloud.google.com/appengine/docs/standard/java/taskqueue/push/creating-handlers#writing_a_push_task_request_handler)? 

I believe in order to verify HTTP request coming from Cloud Task, checking for the presence of X-AppEngine-TaskName header should be enough not only to identify that the HTTP request is coming from Cloud Tasks, but you will also be able to know the name of the task, or a system-generated unique ID if no name was specified.

Also, if you would like to gather further information coming from your Cloud Task service, you could refer to the documentation you greatly linked here [2] which shows a complete list of the headers the request from the Task Queue will always contain, such as “X-AppEngine-TaskName”

Also you could try to add the different command lines options mentioned above when creating your Cloud Task in order to add additional headers if needed when processing your HTTP request.

The result should be similar to the one experienced in Cloud Scheduler, letting you process the new additional headers through your application in order to identify the HTTP request origin.

Nonetheless, the one mentioned by you which implies verifying the request by “X-AppEngine-TaskName” is also useful when wanting to know where the HTTP request comes from.

Best regards,

Christopher R. 

__
[1]: https://stackoverflow.com/questions/53181297/verify-http-request-from-google-cloud-scheduler

[2]: https://cloud.google.com/appengine/docs/standard/java/taskqueue/push/creating-handlers#reading_request_headers