search

GoogleCloudPlatform / deploymentmanager-samples

Deployment Manager samples and templates.
Apache License 2.0
935 stars 716 forks source link

Deployment manager authentication with Cloud Endpoints #313

Open varungbt opened 5 years ago

varungbt commented 5 years ago

I wanted to know more about the deployment manager authentication against a cloud endpoint. Documentation states that dm oauth authentication with cloud endpoints works , but there are no examples to guide through.

From the documentation

Related to the previous point, the API has either basic authentication, or, if the API is running on Google Kubernetes Engine or Google Cloud Endpoints, the API supports OAuth 2.0 authentication using an access token from the project's service account.

I have a app engine API service behind an cloud endpoint. If I have to invoke this API using deployment manager, what are the steps that are needed ?

I used the description url for the Google deployment manager to be the rest api link of the app engine service

imports:
  - path: echo.jinja

resources:
  - name: echo
    type: echo.jinja
    properties:
      discoverydoc: https://some-test.appspot.com/_ah/api/discovery/v1/apis/echo/v1/rest
{% set RC_TYPE_PROVIDER = env['project'] + '/leotaskprovider:echo.get_user_email' %}

resources:
- name: leotaskprovider
  type: deploymentmanager.v2beta.typeProvider
  properties:
    descriptorUrl: {{ properties["discoverydoc"] }}
    options:
      inputMappings:
      - fieldName: Authorization
        location: HEADER
        value: >
          $.concat("Bearer ", $.googleOauth2AccessToken())

- name: get-user-email
  action: {{ RC_TYPE_PROVIDER }}
  metadata:
    dependsOn:
    - leotaskprovider

I cannot get the deployment manager successfuly authenticate against a oauth enabled cloud endpoint. Any pointers ?

varungbt commented 5 years ago

When I use $.googleOuth2AccessToken() call in a deployment manager template, the generated token (decoded) looks like

{
 "azp": "anonymous",
 "aud": "anonymous",
 "scope": "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/ndev.cloudman https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/appengine.admin",
 "exp": "1540590484",
 "expires_in": "2423",
 "email": "<project_id>@cloudservices.gserviceaccount.com",
 "email_verified": "true",
 "access_type": "offline"
}

This does not look like a valid id token that can be used for Google Endpoints authentication. I do not think Cloud Endpoints can authenticate using such a token with aud set to anonymous and missing iss (issuer)

Does $.googleOauth2AccessToken() work with Cloud Endpoints ?

varungbt commented 5 years ago

I have received a reply on the issue in a different forum. Just wanted to share the reply I received. Seems like this is a bug IssueTracker