Hi!
We have several cloud run services running behind a LB and others triggered from tasks. What should be the way to secure the last ones in order to be run only from a cloud task and not invoked from any other source ?
Thanks
Hi,
Could you elaborate on your set up? Are your Cloud Run services and the Cloud task invoking them in the same project? Are you using VPC, shared VPC, or VPC peering?
In general, the effective way to ensure that your Cloud Run services can only be involved by another service and securely, is to set the serviceās ingress as internal or Internal and Load Balancing and ensure that only the invoking service possesses the IAM invoker permission.
Note that additional considerations apply in order to reach your service if set to one of the ingress settings I mentioned above, which is why your Cloud Run serviceās general set up is important.
Additionally, you can set up Service-to-Service authentication so that the your Cloud Run services require credentials from Cloud tasks before granting access.
2 Likes
Hi Bruno and thanks for your response.
Those services are under the same project. In fact google functions triggered by firestore events invoke tasks that are cloud run services. I did try setting the ingress as internal but got some issues.
We are not using VPC.
If set to āinternalā that task system logs:
status: āPERMISSION_DENIEDā
Iām going to check everything out to bring more details.
Thanks
Hi @nelsonlarocca . Did find any solution for your scenario?
I have a cloud run service with ingress set to āinternalā. The cloud tasks that try to trigger the endpoints of this service receive PERMISSION_DENIED(7): HTTP status code 403.
HI @nelsonlarocca and @evertoncastro10 . Did you find solution for this?
I have the same problem: āPERMISSION_DENIED(7): HTTP status code 403ā
Thanks!