Service Account / IAM Based Authentication for Microservices
445 views
Skip to first unread message
Robert Hoppe
Aug 27, 2020, 5:01:35 AM8/27/20
to Google Cloud Endpoints
Hi Guys!
I am reading through https://cloud.google.com/endpoints/docs/openapi/service-account-authentication.
How is this actually meant to be used? For example if I've got 50 Microservices running across different GCP Projects within an Organisation, do I really need to add 50 Service Accounts?
Is there no way managing the Auth by using IAM... for example ALL Service-Accounts that have Role XYZ are allowed to Access the API?
Background is that it feels somehow strange updating always the OpenAPI Document for another Microservice with an extra SA.
I've expected that I can manage the API-Access somehow with IAM(-roles?)
Thanks guys for answering.
Kind Regards
Robert Hoppe
Josh Einhorn
Aug 27, 2020, 11:03:47 AM8/27/20
to Robert Hoppe, Google Cloud Endpoints
Is there no way managing the Auth by using IAM... for example ALL Service-Accounts that have Role XYZ are allowed to Access the API?
That is right, Endpoints performs only authentication i.e. decoding a JWT and verifying the audience, issuer, etc. What you're looking for is identity-based authorization. Have you seen IAP and/or ASM? These can each perform identity-based authorization of sort, though you may encounter similar constraints that other Endpoints customers have e.g. desire to have different permissions/roles for different "Resources" in your API.
I've expected that I can manage the API-Access somehow with IAM(-roles?)
JFYI this is clearly a highly valuable feature that we've had numerous requests for in various forms; if possible, you might file a new feature request or upvote an existing request for this so your request becomes more official.
-Josh
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/a899af99-586f-468b-bcd5-1f9882633526n%40googlegroups.com.
Prateek Malhotra
Aug 27, 2020, 11:38:37 AM8/27/20
to Josh Einhorn, Robert Hoppe, Google Cloud Endpoints
Now that you can use NEGs with Cloud Run, couldn't you setup a Load Balancer + IAP in front of all API microservices to authenticate based on identity? I guess ESPv2 would just need a mode of operation where it sits behind IAP instead of in front of it - or perhaps that's already possible with the IAP headers? ESP would need to send through IAP headers so the application gets the user information.
Prateek Malhotra
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/CADSR2kQE0f69L9_59u%3D6eOR4SmVcvO0o8e92adT5tgnjTuFK4A%40mail.gmail.com.
Robert Hoppe
Aug 31, 2020, 3:14:16 AM8/31/20
to Google Cloud Endpoints
Thanks guys for answering. I gonna take a
look into NEGs with Cloud Run as well will check out the Feature
requests.
Viele Grüße / Kind Regards
Robert Hoppe
--
Prateek Malhotra wrote on 27.08.20 17:38:
Viele Grüße / Kind Regards
Robert Hoppe
--
| Robert Hoppe | |
| Phone: +49 (0)
1754489905 Email: in...@therob.me | |
Martin-Altenbach-Weg 9, 76337 Waldbronn, DE | |
| www.therob.me |  |
Prateek Malhotra wrote on 27.08.20 17:38:
Reply all
Reply to author
Forward
0 new messages