I have a REST API (implemented in Python) which is currently running on Google Cloud Run. I've configured it to:
and it currently it is working fine for me because I can log in (in the browser) with my google account (which has all required permissions). The problem which I am having is that I do not know (and cannot find) how to expose this REST API to a 3rd party back-end system. What I've tried so far is to create a global API Key which I want to pass in the request parameters but unfortunately that didn't work. I still get 403 error from Postman regardless if I pass the key or not.
I am aware that I can create a service account and grand it with CloudRun.invoker permission so it has permission to query my app but the only way I know to use it is via a service_account_key.json which doesn't work in my case as the client system doesn't implement any google-cloud functionality and it has to be rewritten.
If I could summarize - how to programatically authenticate to my Cloud Run application using a common technology as OAuth for example ?
More specifically - how do I impersonate a service account via OAuth or OAuth2.0 ?
You can use API gateway in front of Cloud Run. I wrote an article with ESPv2, but it's very similar to API gateway (which is managed ESPv2!). It should help you. https://medium.com/google-cloud/secure-cloud-run-cloud-functions-and-app-engine-with-api-key-73c57bededd1
API gateway is a light Apigee. Apigee is a great solution, but a monster! (that eats lot of time to configure and money to run!). cloud.google.com/api-gateway