I am new to GCP. I have a cloud run servic. I am triggering the service using curl commands.
curl -X POST https://gcp.a.run.app/api/ -H "Authorization: bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -d @anc.json -- client is not authorised 401 error.
curl -X POST https://gcp.a.run.app/api/ -H "Authorization: bearer $(gcloud auth print-identity-token)" -H "Content-Type: application/json" -d @anc.json -- working
Why does access token not work for cloud run? The system that's supposed to post http requests to the cloud run uses oauth 2.0 and access token. Is there someway i would be able to accommodate access token ?
I have a SA created which has the cloud run invoker access and key has been shared to the system that will post request to cloud run. I could ask them to generate Id_token using gcp metadata server but I want to understand why cloud run won't work with access token or will it?
For Google Cloud Run, there are two types of authorization.
To manage the Cloud Run service, you must use OAuth 2.0 access tokens.
To authorize a request to the container/application running inside Cloud Run, you must use an OIDC Identity Token.
The difference is that an access token contains scopes (permissions) to manage Google Cloud services. An identity token provides identity information for authorizing access to HTTP endpoints provided by the application running within the service.
In front of Cloud Run is the Identity Aware Proxy. If you have not enabled public (unauthenticated) access, the proxy validates HTTP requests via the HTTP authorization header. IAP validates OIDC identity tokens. The key parts of the identity token are the Google identity (email address) and the audience (service URL). IAP does not accept or validate OAuth access tokens.