googlecloudplatform / cloud-run-proxy Goto Github PK

Local proxy for authenticating requests to Cloud Run

License: Apache License 2.0

Go 100.00%

cloud-run-proxy's Introduction

Cloud Run Proxy

📣 The Cloud Run Proxy functionality is now bundled in the Cloud SDK 🎉!

gcloud beta run services proxy

For more information, see the proxy documentation. The remainder of this README is for users wishing to compile or run the proxy outside of Cloud SDK.

Cloud Run Proxy is a small proxy to assist in authenticating as an end-user to Google Cloud Run. It leverages Cloud Run's existing Cloud IAM integration to handle access.

By default, users with the Cloud Run Invoker role (roles/run.invoker) have permission to call services. This is demonstrated multiple times in the Cloud Run documentation:

curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" https://my-service.a.run.app/

This works great for stateless API calls, but what if you have a semi-long-running service or a web interface to access via the browser? This is where Cloud Run Proxy can help!

Cloud Run Proxy runs a localhost proxy that behaves exactly as if you're calling the URL directly, except that it adds your local user's authentication info (from gcloud).

If you're familiar with the Cloud SQL Proxy, it's like that, but for Cloud Run.

Cloud Run Proxy is not an officially supported Google product.

Usage

Note: you must install and authenticated to the Google Cloud SDK (gcloud) for the proxy to pull your authentication token. You local user must also have Cloud Run Invoker permissions on the target service.

Install the proxy from the Releases page or manually:

go install github.com/GoogleCloudPlatform/cloud-run-proxy@main

Start the proxy:

cloud-run-proxy -host https://my-service.a.run.app

Point your browser or curl at http://localhost:8080!

Options

Change the local bind address:

cloud-run-proxy -bind "127.0.0.1:1234"

Obligatory security note: do not bind to 0.0.0.0 or your public IP. Anyone on your network would then be able to access your service unauthenticated. Always bind to a loopback.

Override the token (useful if you don't have gcloud installed):

cloud-run-proxy -token "yc..."

Specify a custom audience:

cloud-run-proxy -audience "https://my-service-daga283.run.app"

Note: when running on Compute Engine or other services with a metadata service, the audience defaults to the host URL. If you are accessing your Cloud Run service through a load balancer with a vanity domain, you must specify the audience value as the non-vanity URL of your service:

cloud-run-proxy -host "https://custom-domain.com" -audience "https://my-service-daga283.run.app"

cloud-run-proxy's People

Contributors

Stargazers

Watchers

cloud-run-proxy's Issues

Call out `gcloud beta run services proxy`

Thanks for prototyping an experience which has now made it to the official CLI: https://cloud.google.com/sdk/gcloud/reference/beta/run/services/proxy

I would suggest to call this out at the top of the README. Potentially archiving the repo too.

Can't install google-cloud-sdk-cloud-run-proxy package

Following the GCP documentation, I can't successfully install the google-cloud-sdk-cloud-run-proxy package.

Here is my environment :

$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

First of all, when I simply want to launch the Cloud Run proxy, here is the message :

$ gcloud run services proxy myservice --project myproject --region europe-west1
Pausing command execution:

This command requires the `cloud-run-proxy` component to be installed. Would you like to install the `cloud-run-proxy` component to continue command execution? (Y/n)?  

ERROR: (gcloud.run.services.proxy) 
You cannot perform this action because the Google Cloud CLI component manager 
is disabled for this installation. You can run the following command 
to achieve the same result for this installation: 

sudo apt-get install google-cloud-sdk-cloud-run-proxy

So, I've successfully updated/upgraded my distro with sudo apt update and sudo apt upgrade.

And then, when I want to install it, I encounter this error :

$ sudo apt install google-cloud-sdk-cloud-run-proxy
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  google-cloud-sdk
Suggested packages:
  google-cloud-sdk-app-engine-java google-cloud-sdk-app-engine-python google-cloud-sdk-pubsub-emulator google-cloud-sdk-bigtable-emulator google-cloud-sdk-datastore-emulator
The following NEW packages will be installed:
  google-cloud-sdk google-cloud-sdk-cloud-run-proxy
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/166 MB of archives.
After this operation, 826 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
(Reading database ... 66561 files and directories currently installed.)
Preparing to unpack .../google-cloud-sdk_455.0.0-0_all.deb ...

Progress: [  0%] [........................................................................................................................................................................................................................] 
Unpacking google-cloud-sdk (455.0.0-0) ...................................................................................................................................................................................................] 
dpkg: error processing archive /var/cache/apt/archives/google-cloud-sdk_455.0.0-0_all.deb (--unpack):
 trying to overwrite '/usr/share/google-cloud-sdk/README', which is also in package google-cloud-cli 455.0.0-0
dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
Selecting previously unselected package google-cloud-sdk-cloud-run-proxy.
Preparing to unpack .../google-cloud-sdk-cloud-run-proxy_455.0.0-0_amd64.deb ...

Unpacking google-cloud-sdk-cloud-run-proxy (455.0.0-0) ...#######.........................................................................................................................................................................] 

Errors were encountered while processing:################################################.................................................................................................................................................] 
 /var/cache/apt/archives/google-cloud-sdk_455.0.0-0_all.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

internal ingress

how does this work if ingress is set to internal only? Can the service still be proxied?

Feature Request: Refresh token on expiry (or quit!)

The requested token expires after 1hr normally. The tool knows this expire time, but will continue running.

If the tool could refresh the token automatically on expiry, or quit so that it could be relaunched automatically, then this would be a great additional feature.

Workaround:

while true ; do 
   ./cloud-run-proxy \
       -host "${SERVER_HOST}"  \
       -bind "127.0.0.1:8001" \
       -server-up-time 50m
done &

Forbidden with Application Default Credentials

Hello,

This isn't working for me when using only ADC

I just get "Forbidden".

I tried this patch:

diff --git a/main.go b/main.go
index 8577665..41ddc8c 100644
--- a/main.go
+++ b/main.go
@@ -280,6 +280,8 @@ func (s *idTokenFromDefaultTokenSource) Token() (*oauth2.Token, error) {
                return nil, fmt.Errorf("missing id_token")
        }
 
+       fmt.Println(idToken)
+
        return &oauth2.Token{
                AccessToken: idToken,
                Expiry:      token.Expiry,

And when it outputs the token it is trying to use, when decoded, the aud value (audience) is:

764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com

I believe this is the client_id for the gcloud tool itself?

But it doesn't look like Cloud Run is accepting that token.

I've checked and my colleagues can replicate.

Regards,
iamacarpet

go install @latest does not install latest

running

go install github.com/GoogleCloudPlatform/cloud-run-proxy@latest

Does not install the latest source code - it does not include the -server-up-time arg added in 6c0fc2d

Please can you add a new release tag to fix this.

$ go install github.com/GoogleCloudPlatform/cloud-run-proxy@latest
go: downloading github.com/GoogleCloudPlatform/cloud-run-proxy v0.2.0
...
$ go/bin/cloud-run-proxy -help
Usage of go/bin/cloud-run-proxy:
  -audience string
        override JWT audience value (aud)
  -bind string
        local host:port on which to listen (default "127.0.0.1:8080")
  -host string
        Cloud Run host for which to proxy
  -prepend-user-agent
        prepend a custom User-Agent header to requests (default true)
  -token string
        override OIDC token

Can it support grpc or http2 services on cloud run as well?

Thanks for creating the nice proxy here.

However, I seem to have some difficult to make it work with a grpc service running in cloud run.

So for example this works:

grpcurl -H "Authorization: Bearer $(gcloud auth print-identity-token)" xxx.a.run.app:443 list

xxx.Service

And if I run the proxy with:

cloud-run-proxy -host https://xxx.a.run.app -token $(gcloud auth print-identity-token)  -bind "0.0.0.0:8066"
http://0.0.0.0:8066 proxies to https://xxx.a.run.app

gcloud beta run services proxy xxx  --project xxx --region europe-west1 --port=8066

Then try talk to it gives timeout:

grpcurl --plaintext localhost:8066 list
Failed to dial target host "localhost:8066": context deadline exceeded

golang.org/x/net CVEs

Hi, the old release v.0.3.0 has vulnerability issue with golang.org/x/net v0.0.0-20221004154528-8021a29435af
https://security-tracker.debian.org/tracker/CVE-2022-41723
https://security-tracker.debian.org/tracker/CVE-2022-41721

Are we planning on a new release?

Thank you

Feature request: command line flag to use access token instead of identity token

Another use of this tool is to as an authentication proxy to cloud storage, but this requires the access-token instead of the authentication token.

This is useful to point 3rd party tools that use unauthenticated HTTP access to URLs to a Cloud Storage Bucket.

(for example a local cache of a external site)

Example usage (with workaround using gcloud auth)

cloud-run-proxy \
       -host https://storage.googleapis.com/  \
       -token  "$(gcloud auth print-access-token)" \
       -bind "127.0.0.1:8001" \
       -server-up-time 50m

curl -L "http://localhost:8001/${BUCKET_NAME}/${OBJECT_PATH}" -o object_name

README says `cloud-sql-proxy`

In the README, I can read the binary is named cloud-sql-proxy, I guess it should be cloud-run-proxy. Is it a typo?