'Cloud Tasks masks Bearer Token (To a Public Cloud Run)

I have a public Cloud Run, authenticated by JWT Token. Working 100%. The logic inside the Cloud Run to decode the token is in python:

def decode_jwt(token: str) -> dict:
    try:
        decoded_token = jwt.decode(
            token, JWT_SECRET, algorithms=[JWT_ALGORITHM])
        return decoded_token if decoded_token["expires"] >= time.time() else None
    except Exception as e:
        raise InvalidTokenError

The Cloud Run is publicly available using a custom domain.

Now, I want to do some requests to the Cloud Run, using Cloud Tasks (each request have different parameters, created previously by a Cloud Functions). In the Cloud Tasks, I create each task with a "Bearer {token}" parameter

Cloud Task Headers Code:

task["http_request"]["headers"] = \
                {"Authorization": f"Bearer {token}",
                 "Accept": "application/json"}

First situation:

When I create the task without the "oidc_token" parameter in the http_request creation. Cloud Run returns "403 Forbidden", and never reach the decode_jwt function inside cloud run. Cloud Task http_request Code:

task = {
        "http_request": {  
            "http_method": tasks_v2.HttpMethod.POST,
            "url": url,  
          }
       }

Second situation: I add an "oidc_token".

task = {
        "http_request": {  
            "http_method": tasks_v2.HttpMethod.POST,
            "url": url,  
            "oidc_token": {
                "service_account_email": "[email protected]",
           }
       }

Now, the request reach the Cloud Run decode_jwt function, and the log in Cloud Run returns "InvalidTokenError". Extra: I added a logging.info to expose the token received in Cloud Run, and is not the token I passed in the Cloud Task Creation.

pythongoogle-cloud-platformgoogle-cloud-rungoogle-cloud-tasks


Solution 1:[1]

You have to specificy the audience of your Cloud Run service, like that

task = {
        "http_request": {  # Specify the type of request.
            "http_method": tasks_v2.HttpMethod.POST,
            "url": url,  # The full url path that the task will be sent to.
            "oidc_token": {
                "service_account_email": "[email protected]",
                "audience": base url of Cloud Run, no /sub/path
            }
}

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 guillaume blaquiere

Related Questions

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

pip issue installing almost any library

pip issue installing almost any library

pip issue installing almost any library

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

Selenium-Python: How do I make my WebDriverWait a few seconds before reloading a page?

A simple SMTP server (in Python)

How to specify which pytorch to import, if I have two different versions installed?

How to specify which pytorch to import, if I have two different versions installed?

A simple SMTP server (in Python)

Python: get all months in range?

Python: get all months in range?

Python: get all months in range?

How to specify which pytorch to import, if I have two different versions installed?