I currently have a ReactJS frontend deployed as a service on Google App Engine (GAE), while my Flask backend API service is deployed on Google Cloud Run.
I made these choices to stay in the free tier while having reasonable limits. As my project was in a test phase, I had just been using the Cloud Run URL to make all my requests from the frontend. However, it is now time for me to make my Cloud Run API instance private and only let requests from my frontend in GAE be served.
I tried some Cloud Run Invoker permissions on the appspot service account but I was unable to make it work. I keep getting 403 forbidden errors on my frontend. I am unsure on how to proceed, as there is no documentation available on connecting GAE and Cloud Run.
The document here talks about generating a static website. You’ve said that you were connecting from App Engine to Cloud Run, but it seems that you are hosting your static site on App Engine. The connection then will not be from App Engine, but instead it will come from the end user's browser.
You need to remove the access restriction on your Cloud Run service. This is designed for service-to-service authentication, and is not suitable for end user authentication, especially for a public site or one with a large number of users.
There is another product called Firebase Auth, which might help you with this situation.