I have an App Engine worker that handles requests for my Google Cloud Tasks queue. How can I verify a request from my task queue, since it allows requests from any other host or client?
I try reading App Engine task request headers but I think it NOT enough for authenticating the request.
Further more, how can I verify a request from the same Google cloud project (like internal services)?
Using the request headers is the best way to authenticate the request is coming from Cloud Tasks. App Engine will strip headers from the request that try to mimic internal headers, like X-AppEngine-QueueName.
Unfortunately, in Python 3 there isn't a way to restrict to authenticated users like in Python 2.7 app.yaml.
Lastly if this doesn't suffice, I recommend adding/signing your own JWT to the request header and authenticating it in your App Engine handler.