Search code examples
google-cloud-platformauthorizationgoogle-cloud-tasks

Authorizing endpoint for Cloud Tasks

I'm working on integrating Cloud Tasks into my application, and would like to create tasks for my own endpoint that requires authorization. However, I'm not sure how to go about it.

According to the documentation for the Go Cloud Tasks library I'm using:

type HttpRequest_OidcToken struct {
    // If specified, an
    // [OIDC](https://developers.google.com/identity/protocols/OpenIDConnect)
    // token will be generated and attached as an `Authorization` header in the
    // HTTP request.
    //
    // This type of authorization can be used for many scenarios, including
    // calling Cloud Run, or endpoints where you intend to validate the token
    // yourself.
    OidcToken *OidcToken `protobuf:"bytes,6,opt,name=oidc_token,json=oidcToken,proto3,oneof"`
}

However, based on my understanding of OIDC, it's used for authentication, not authorization, and thus is not what I need.

So, my question is, how should I go about protecting my endpoint? I'd like only the service account used by the task queue to be able to access it. Is verifying the ID token and making sure the email is that of my service account sufficient for this purpose? Thanks!

Solution

  • Is verifying the ID token and making sure the email is that of my service account sufficient for this purpose?

    This should be enough as it is the recommended practice in GCP's documentation:

    To authenticate between Cloud Tasks and an HTTP Target handler that requires such authentication, Cloud Tasks creates a header token. This token is based on the credentials in the Cloud Tasks Enqueuer service account, identified by its email address. The service account used for authentication must be part of the same project where your Cloud Task queue resides. The request, with the header token, is sent, via HTTPS, from the queue to the handler. You can use either an ID token or an access token. ID tokens should generally be used for any handler running on Google Cloud, for example, on Cloud Functions or Cloud Run. The main exception is for Google APIs hosted on *.googleapis.com: these APIs expect an access token. You specify either an ID (OIDC) token or access (OAuth) token in the task itself.

    For additional security, you can consider using IAM conditions in your endpoint.

    On the other hand, if you are providing your own endpoint, you may refer to this documentation - Providing your own HTTP Target task handlers