Cloud Run to Cloud Run passing User ID

Question

I have a cloud run service behind an Identity Aware Proxy. That service needs to perform service to service communications to other Cloud Run services. We are using service account credentials to do this, but we also want the actual userid in the second service so we can enforce authorization if required.

What is the preferred way to do this? Just pass it in a header or as part of the API signature?

Answer 1

It's totally up to you and and opinionated question. My personal preference is to set in the header all the metadata of the request and in the body the main purpose of it.

• If your API is an authorization API that check the user permissions and stuff like that, the userID should be in the body, it's the main purpose of the API
• If it's an additional, and potentially used information, like asking for product in stock or stuff like that, the header is a better location.

No strict rules, only a choice to make!