Stackdriver webhook token authentication and best practices

[ichauhan]

I am planning to receive GCP stackdriver alerting via webhooks to an on-premise network. I need some recommendation on how to manage privacy and authentication. I will be using an SSL enabled endpoint URL and I am trying to find documentation to set up token authentication or even possibilities to white list IP addresses/domain on my on-premise firewall.

[Mary Koes]

+Rory Petty 

On Tue, Mar 26, 2019 at 2:34 PM ichauhan <chauha...@gmail.com> wrote:

I am planning to receive GCP stackdriver alerting via webhooks to an on-premise network. I need some recommendation on how to manage privacy and authentication. I will be using an SSL enabled endpoint URL and I am trying to find documentation to set up token authentication or even possibilities to white list IP addresses/domain on my on-premise firewall.

--
© 2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Stackdriver Discussion Google Group (google-stackdr...@googlegroups.com) to participate in discussions with other members of the GoogleStackdriver community.
---
You received this message because you are subscribed to the Google Groups "Google Stackdriver Discussion Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-stackdriver-d...@googlegroups.com.
To post to this group, send email to google-stackdr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-stackdriver-discussion/1d618cab-3a76-4855-b519-37ed874f727d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rory Petty]

Apologies for the delayed response. There are a couple of ways you can authenticate webhooks from Stackdriver.

The Webhook configuration page is here:

https://app.google.stackdriver.com/settings/accounts/notifications/static-webhook/add?project=<your project id>

From that page:

Token Auth

Token Authentication is utilized by providing a querystring parameter in the endpoint url with a key that the server expects to be secret between itself and Stackdriver. For example, you might enter an endpoint url that looks like:

https://www.myserver.com/stackdriver-hook?auth_token=1234-abcd

When Stackdriver posts an incident to that url, you can check to ensure that the attached parameter matches what you expect. This method of authentication is most effective when used in conjunction with SSL/TLS to encrypt the HTTP request preventing snoopers from learning the token.

For server examples in python, visit https://gist.github.com/tschieggm/7604940

Basic Auth

Basic authentication leverages the HTTP specification for including username and password along with the webhook request Stackdriver sends. In accordance with the spec, Stackdriver expects your server to correctly return a 401 response with the correct “WWW-Authenticate” header.

Documentation and examples of HTTP Basic Auth can be found at:

RFC Specification: http://www.ietf.org/rfc/rfc2617.txt

Wikipedia: http://en.wikipedia.org/wiki/Basic_access_authentication

Some other notes about security and authentication:

1. Make sure that the webhook is HTTPS rather than HTTP to ensure that the communication is encrypted.

2. Implement HTTP Basic Auth on your endpoint. Stackdriver can pass the http auth headers with the request.

3. As discussed above, put a really long, random token in the URL that can be checked on your endpoint as part of authentication.

4. If you are worried about this token leaking, you can use the NotificationChannel API to programmatically rotate the value of this token.

5. If you want further validation, you can also examine the notification payload of the webhook request and query the AlertPolicy API on your side to do some basic sanity checking of the payload

Thanks,

Rory

To view this discussion on the web visit https://groups.google.com/d/msgid/google-stackdriver-discussion/CAJoTiF9wijxn5T59mk4T2aym4Cc9gHBrNpaqSEdnCU-AE4eY7Q%40mail.gmail.com.

[ichauhan]

Hi Rory,

Your response is very helpful. We are actively looking to get webhook incidents from GCP stackdriver to integrate it with an on premise network/apllication management system. So I found this link :

https://cloud.google.com/monitoring/uptime-checks/using-uptime-checks#get-ips

We are also looking for a possibility to white list IP addresses on our firewall from where we get these web-hooks. Does the above link provide that list ? If not, would it be possible to get the stackdriver IP addresses that send webhooks.

Thanks,

Ishan

On Thursday, 28 March 2019 12:52:59 UTC-4, Rory Petty wrote:

Apologies for the delayed response. There are a couple of ways you can authenticate webhooks from Stackdriver.

The Webhook configuration page is here:

https://app.google.stackdriver.com/settings/accounts/notifications/static-webhook/add?project=<your project id>

From that page:

Token Auth

Token Authentication is utilized by providing a querystring parameter in the endpoint url with a key that the server expects to be secret between itself and Stackdriver. For example, you might enter an endpoint url that looks like:

https://www.myserver.com/stackdriver-hook?auth_token=1234-abcd

When Stackdriver posts an incident to that url, you can check to ensure that the attached parameter matches what you expect. This method of authentication is most effective when used in conjunction with SSL/TLS to encrypt the HTTP request preventing snoopers from learning the token.

For server examples in python, visit https://gist.github.com/tschieggm/7604940

Basic Auth

Basic authentication leverages the HTTP specification for including username and password along with the webhook request Stackdriver sends. In accordance with the spec, Stackdriver expects your server to correctly return a 401 response with the correct “WWW-Authenticate” header.

Documentation and examples of HTTP Basic Auth can be found at:

RFC Specification: http://www.ietf.org/rfc/rfc2617.txt

Wikipedia: http://en.wikipedia.org/wiki/Basic_access_authentication

Some other notes about security and authentication:

1. Make sure that the webhook is HTTPS rather than HTTP to ensure that the communication is encrypted.

2. Implement HTTP Basic Auth on your endpoint. Stackdriver can pass the http auth headers with the request.

3. As discussed above, put a really long, random token in the URL that can be checked on your endpoint as part of authentication.

4. If you are worried about this token leaking, you can use the NotificationChannel API to programmatically rotate the value of this token.

5. If you want further validation, you can also examine the notification payload of the webhook request and query the AlertPolicy API on your side to do some basic sanity checking of the payload

Thanks,

Rory

On Wed, Mar 27, 2019 at 9:51 AM 'Mary Koes' via Google Stackdriver Discussion Forum <google-stackdriver-discu...@googlegroups.com> wrote:

+Rory Petty 

On Tue, Mar 26, 2019 at 2:34 PM ichauhan <chauha...@gmail.com> wrote:

I am planning to receive GCP stackdriver alerting via webhooks to an on-premise network. I need some recommendation on how to manage privacy and authentication. I will be using an SSL enabled endpoint URL and I am trying to find documentation to set up token authentication or even possibilities to white list IP addresses/domain on my on-premise firewall.

--
© 2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 

Email preferences: You received this email because you signed up for the Google Stackdriver Discussion Google Group (google-stackdriver-discu...@googlegroups.com) to participate in discussions with other members of the GoogleStackdriver community.

---
You received this message because you are subscribed to the Google Groups "Google Stackdriver Discussion Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-stackdriver-discussion+unsub...@googlegroups.com.

To post to this group, send email to google-stackdr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-stackdriver-discussion/1d618cab-3a76-4855-b519-37ed874f727d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
© 2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 

Email preferences: You received this email because you signed up for the Google Stackdriver Discussion Google Group (google-stackdriver-discu...@googlegroups.com) to participate in discussions with other members of the GoogleStackdriver community.

---
You received this message because you are subscribed to the Google Groups "Google Stackdriver Discussion Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-stackdriver-discussion+unsub...@googlegroups.com.

[Rory Petty]

Will follow-up via direct message 

On Wed, Mar 27, 2019 at 9:51 AM 'Mary Koes' via Google Stackdriver Discussion Forum <google-stackdr...@googlegroups.com> wrote:

+Rory Petty 

On Tue, Mar 26, 2019 at 2:34 PM ichauhan <chauha...@gmail.com> wrote:

I am planning to receive GCP stackdriver alerting via webhooks to an on-premise network. I need some recommendation on how to manage privacy and authentication. I will be using an SSL enabled endpoint URL and I am trying to find documentation to set up token authentication or even possibilities to white list IP addresses/domain on my on-premise firewall.

--
© 2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 

Email preferences: You received this email because you signed up for the Google Stackdriver Discussion Google Group (google-stackdr...@googlegroups.com) to participate in discussions with other members of the GoogleStackdriver community.

---
You received this message because you are subscribed to the Google Groups "Google Stackdriver Discussion Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-stackdriver-d...@googlegroups.com.

To post to this group, send email to google-stackdr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-stackdriver-discussion/1d618cab-3a76-4855-b519-37ed874f727d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
© 2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 

Email preferences: You received this email because you signed up for the Google Stackdriver Discussion Google Group (google-stackdr...@googlegroups.com) to participate in discussions with other members of the GoogleStackdriver community.

---
You received this message because you are subscribed to the Google Groups "Google Stackdriver Discussion Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-stackdriver-d...@googlegroups.com.

To post to this group, send email to google-stackdr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-stackdriver-discussion/CAJoTiF9wijxn5T59mk4T2aym4Cc9gHBrNpaqSEdnCU-AE4eY7Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

© 2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 

Email preferences: You received this email because you signed up for the Google Stackdriver Discussion Google Group (google-stackdr...@googlegroups.com) to participate in discussions with other members of the GoogleStackdriver community.

---
You received this message because you are subscribed to the Google Groups "Google Stackdriver Discussion Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-stackdriver-d...@googlegroups.com.

To post to this group, send email to google-stackdr...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-stackdriver-discussion/53a4759b-bd58-46a1-b0bf-c99afc7efbb8%40googlegroups.com.

[venkata koteswarao Komaravolu]

Hi Rory,

I was also looking for the same, I'm trying with Serverless VPC and Cloud functions.  I'm able to connect on-premise Webhook through cloud functions, now I was looking for to push stackdriver monitoring alerting incidents JSON object to webhook which internally connects to on-premise Remedy tool.

Could you please guide me how to read incidents and push JSON object to on-premise.

Thanks and regards,

Koteswararao K

On Wed, Mar 27, 2019 at 9:51 AM 'Mary Koes' via Google Stackdriver Discussion Forum <google-stackdriver-discu...@googlegroups.com> wrote:

+Rory Petty 

On Tue, Mar 26, 2019 at 2:34 PM ichauhan <chauha...@gmail.com> wrote:

I am planning to receive GCP stackdriver alerting via webhooks to an on-premise network. I need some recommendation on how to manage privacy and authentication. I will be using an SSL enabled endpoint URL and I am trying to find documentation to set up token authentication or even possibilities to white list IP addresses/domain on my on-premise firewall.

--
© 2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 

Email preferences: You received this email because you signed up for the Google Stackdriver Discussion Google Group (google-stackdriver-discu...@googlegroups.com) to participate in discussions with other members of the GoogleStackdriver community.

---
You received this message because you are subscribed to the Google Groups "Google Stackdriver Discussion Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-stackdriver-discussion+unsub...@googlegroups.com.

To post to this group, send email to google-stackdr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-stackdriver-discussion/1d618cab-3a76-4855-b519-37ed874f727d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
© 2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 

Email preferences: You received this email because you signed up for the Google Stackdriver Discussion Google Group (google-stackdriver-discu...@googlegroups.com) to participate in discussions with other members of the GoogleStackdriver community.

---
You received this message because you are subscribed to the Google Groups "Google Stackdriver Discussion Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-stackdriver-discussion+unsub...@googlegroups.com.

To post to this group, send email to google-stackdr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-stackdriver-discussion/CAJoTiF9wijxn5T59mk4T2aym4Cc9gHBrNpaqSEdnCU-AE4eY7Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
© 2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 

Email preferences: You received this email because you signed up for the Google Stackdriver Discussion Google Group (google-stackdriver-discu...@googlegroups.com) to participate in discussions with other members of the GoogleStackdriver community.

---
You received this message because you are subscribed to the Google Groups "Google Stackdriver Discussion Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-stackdriver-discussion+unsub...@googlegroups.com.