How to secure google cron service tasks on GAE flexible env?

Question

I want from an url:

• To be called only by the google cron service

• Not to be called by a user in a web browser

Whats on the google docs didn't work: when the cron service calls the servlet, it also give me a 403 error - forbidden access...

And there is no security related informations regarding the app.yaml file for the flexible env.

Two observation I have made:

• Google states that "Google App Engine issues Cron requests from the IP address 0.1.0.1". But I got another IP address launching the cron job:

• From this IP address, the HTTP header actually contains the X-Appengine-Cron (with the value true)

Do you have any ideas ?

Answer 1

The referenced doc snippet mentioning the securing method based on login: admin config in the handlers section of the app.yaml file is incorrect - the handlers section is applicable to the (non-java) standard environment app.yaml, not the flexible environment one. So you might want to remove such undocumented config, just to be sure it doesn't have some unexpected/undesired negative effect.

Checking just the X-Appengine-Cron should be sufficient enough: it can only be set by the cron service of your app. From Securing URLs for cron:

Requests from the Cron Service will also contain a HTTP header:

X-Appengine-Cron: true

The X-Appengine-Cron header is set internally by Google App Engine. If your request handler finds this header it can trust that the request is a cron request. If the header is present in an external user request to your app, it is stripped, except for requests from logged in administrators of the application, who are allowed to set the header for testing purposes.

As for why exactly the response to the cron request is 403 - you should show your handler code which is (most likely) the one responsible for building the reply.