Re: Cloud Run service to service integration not w...

dheerajpanyam · 11-17-2023 08:42 PM

1. I have a public facing ReactJs frontend service deployed in cloud run, which renders the application in the client's browser.

2. I also have a server side backend NodeJs REST APIs deployed as a 2nd Cloud Run service which for obvious reasons needs to be a private/internal only service.

I am following the code snippet in this tutorial which has the exact same setup as mine to setup service to service communication with. As you can see in the code snippet the public front end service uses the google-auth library to generate a OAuth access token by the metadata server and it calls the private CR endpoint using HTTP POST passing OAuth token and body of the request.

In my case this is giving a 404 error whereby the ReactJs application is unable to access the backend APIs.

Since, google-auth-library is only works on the server side and doesn't work on the client side, we are unable to use that id-token authentication scenario of service to service authentication.

Does it mean we need to deploy as a single CR service is this the only solution?

NoCommandLine

> this is giving a 404 error

I expected a 403 error (though some websites use a 404 rather than a 403 if the endpoint is sensitive).

To make sure your error is due to authentication issues and not a malformed url/calling an incorrect url, make the private service public and call it again. If you still get a 404, then you have a problem with the url. If it goes through, then it's an authentication issue and we can then look at that.

..... NoCommandLine ......

https://nocommandline.com

A GUI for Google App Engine
& Datastore Emulator

dheerajpanyam

@NoCommandLine I already tried what you are suggesting. I made the backend service private and from the front end service i am calling the OOB Cloud Run URL associated with the backend. It is giving a 404. Does the google-auth-library work on the client side meaning as part of a React App this could be the problem? Google Auth library works server side (meaning in scenarios where the CR service need not run in a browser)

NoCommandLine

I mean temporarily make the back-end service public (this way, no authentication is required; this means both front and back end services are public) and confirm if you still get a 404. If you do, then it means your issue isn't with the token required to invoke the service when it's private.

..... NoCommandLine ......

https://nocommandline.com

A GUI for Google App Engine
& Datastore Emulator

dheerajpanyam

@NoCommandLine When I make both the services public everything works. It is only when the backend REST API service is made private that I face the issue. What should be the security setting for a private service is it `require authentication`?. Below are the networking and security settings for the backend CR service. As you can see it is public and accepting unauthenticated calls.

NoCommandLine

Yes, it should be 'require authentication'.

So there's confirmation the issue is with when you set it to private.

Can you provide a snippet of your code where you obtain the token and then make a call with the token (here or in a GitHub repo)?

..... NoCommandLine ......

https://nocommandline.com

A GUI for Google App Engine
& Datastore Emulator

Cloud Run service to service integration not working (public React JS + private Express backend)