Invoking (internal traffic) HTTP Google Cloud Function from Google App Engine (flex)

So I have a simple flask service that is sitting in an GAE flex instance. The instance is behind identity-aware proxy. Once authenticated through IAP, I am able to get the user's X-Appengine-* and X-Goog-* headers (including the iap-jwt).

So my question is, from here with all the info I have, how do I call an internal only traffic http GCF?

  1. As far as i'm aware, it seems that there's a way to use the iap-jwt as an access token to add in the authorization header, but I can't seem to get anything working.
  2. Additionally, since app engine is running within the same project as cloud functions, isn't there a way for app engine to call a cloud function using it's (app engine) service account? Given that the app engine service account has the invoker permissions?

1 answer

  • answered 2021-07-27 18:58 guillaume blaquiere

    TL;DR: you can't.

    In fact, you can plug your App Engine flex to your VPC to route all the internal traffic (i.e. the traffic routed to a private IP (RFC1918)). However, Cloud Functions (or Cloud Run, it's the same thing) are public. Even if you set the ingress to internal.

    The ingress to internal tells to the platform to add an additional check on the traffic origin: it must come from the VPC of the project or from the VPC SC perimeter. BUT the traffic to access to the service is still public

    Therefore, when you use App Engine (flex or not, the issue is the same), you can't say "Hey route all the egress to the VPC". You can do that only with Cloud Functions and Cloud Runs egress control, not with App Engine.

    Therefore, your Cloud Functions call don't use your VPC, and thus lands to your Cloud Functions ingress internal from the internet, not from your VPC. And you get a 401, unauthorized.

    There is no network solution for that, but you have a IAM solution. Grant only the App Engine service account to access to your Cloud Functions and no other identity. Like that, anyone will be able to call your Cloud Functions from the internet, but only the authenticated and authorised traffic will be routed to your Cloud Functions. All the bad traffic will be discarded by GFE (Google Front End), before invoking your Cloud Functions, and you won't pay for it.

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum