Comments (11)
You are reporting two issues:
- failed to fetch JWKS: jwt public keys, the url is specified in x-google-jwks_url in openapi spec.
- failed to connect to Google API, e.g. Google service control API
Unless x-google-jwks_uri specified a Google API, they are two different problems; accessing Google API may require different configuration than accessing other remote endpoints.
for 1), I think your egress need to allow to access that jwks_uri.
for 2), It seems that Google service control is still not allowed. report call is rejected.
You may have to check your egress settings to allow jwks_uri and Google API.
from esp.
for 1) - I have this url https://www.googleapis.com/robot/v1/metadata/x509/<service_account>
as x-google-jwks-uri
in openapi spec.
for 2) - The Google Service Control API also has the domain ending with *.googleapis.com
The url 1) & 2) is translating into an IP address that is in the IP range 199.36.153.8/30
It even connects, when I do a telnet to www.googleapis.com
and servicecontrol.googleapis.com
apis from host VM and esp container.
Please refer the below screenshot, I have allowed egress to the same IP range in my firewall settings.
Not sure what is going wrong here. Please advise.
from esp.
Hmm, you may be using private VPC. or your GCE VM only has internal IP address. If so, you need to follow some special setup to access Google services.
I am not expert in this area. I just happened to read this doc. You may need to find some help from other Google supports.
from esp.
I'm not convinced about your IP range 199.36.153.8/30
. Are you forming this based on your own observations? Here is the IP address I get from my local machine.
nareddyt-macbookpro% ping servicecontrol.googleapis.com
PING servicecontrol.googleapis.com (172.217.0.42): 56 data bytes
As Wayne said, this seems to be out of scope for us, we are not experts in this.
from esp.
@nareddyt It's as per gcp documentation. Please refer this link Private Google Access
from esp.
@qiwzhang Yes, We are using private VPC and we don't use external address for our GCE VM.
from esp.
@qiwzhang It looks like a bug in connectivity between google service apis managing the endpoints. Please direct to the support team who can help in this regard
from esp.
Could you post your evidence here so that I can create a external bug for you? Or you can create a bug for GCP youself?
from esp.
I filed a bug for GCP Cloud APIs. Link for your reference https://issuetracker.google.com/issues/169349072
from esp.
The problem got resolved by overriding ESP container's default DNS Resolver (8.8.8.8) with the correct DNS Resolver
from esp.
That make sense. For a GCE with private IP, it has to use GCP metadata server as DNS resolver.
from esp.
Related Issues (20)
- ESP fails to connect to google service HOT 1
- Update NGINX to version 1.19.1
- Unable to initialize ESP container using metadata server HOT 3
- esp restarted when it sees RESOURCE_EXHAUSTED from servicemanagement.googleapis.com HOT 1
- GRPC keepalive server side not working HOT 5
- pass zero from grpc to json HOT 2
- argument service_control_network_fail_open is unclear HOT 6
- HTTP Post x-www-form-urlencoded transcoding HOT 6
- No error response supplied from POST request HOT 1
- Logs displayed as ERROR in Log Viewer HOT 1
- Cannot refer to service name using x-google-backend HOT 3
- Quota limit: 429 after waiting more than 1 minute
- JWT validation failed: Unable to fetch verification key HOT 1
- Malformed WWW-Authenticate header payload returned for UNAUTHORIZED response HOT 3
- Some endpoints need auth others dont. HOT 7
- x-google-jwt-location two entries for a single header HOT 3
- [DELETED]
- RST_STREAM 1 error with GRPC and ESP HOT 13
- ESP build docker failing HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from esp.