Re: Uptime checks on authenticated Cloud Run

simon3 · 11-07-2023 04:08 AM

I'm trying to configure uptime checks for our Cloud Run services. For unauthenticated Cloud Runs this is straightforward and works fine.

For Cloud Runs that need authentication it becomes 'interesting'. While I can add a ID token as an Authorization header, this only works as long as the token is valid (1 hour).

How can we best fix this to make this work ?

robertcarlos

Hi @simon3,

Welcome to Google Cloud Community!

Based on this documentation on ID token lifetime, it is only valid for up to 1 hour or 3600 seconds and you need to acquire a new one when it expires.

Here are some of the suggestions to extend or prolong ID tokens:

Fetch tokens from the metadata server and you will always get a valid token.
If you cache the tokens yourself, you can decode the token and check the exp time to see if you need to refresh the token.
You could also use self-signed JSON Web Tokens (JWTs) without having to get an access token from the Authorization Server.

You could check the following documentations for additional information regarding ID tokens:

You may also file this one as a feature request to check whether we could extend ID tokens longer than 1 hour.

Hope this helps.

simon3

"Based on this documentation on ID token lifetime, it is only valid for up to 1 hour or 3600 seconds and you need to acquire a new one when it expires."

But the GCP Uptime Checks do not support this, the functionality is rather limited. You can add a (static) ID token during creation, but there is no functionality to have it updated every 1 hour.

Unless you mean we have to programmatically update all of the Uptime checks every 1 hour with new ID token I wouldn't know how to do this.

Can you give an example of how the Uptime Check should be configured in order to make this work?