Starter app and instructions for deploying a Go app protected by G Suite OAuth via Google Cloud Run so only your coworkers can access it.
Clone this repo and run the following commands from within the repo as a starting point.
- Install the
gcloud
CLI - Create gcloud Project
- Ensure you have selected your new project in the top left, then note the Project ID under the "Project info" panel.
export PROJECT_ID="FIXME"
- Authenticate and configure
gcloud
:
gcloud auth login
gcloud config set project ${PROJECT_ID}
gcloud config set run/region us-west1
- Choose an application name e.g.
gcloud-app
export APP_NAME="FIXME"
- Deploy this application, selecting
y
for all prompts.- Note:
Allow unauthenticated invocations to [gcloud-app] (y/N)?
is for IAM, not oauth2, so still respond withy
.
- Note:
gcloud run deploy ${APP_NAME}
- Note the URL it is deployed at e.g.
https://gcloud-app-random-xy.a.run.app
:
export EXTERNAL_URI="FIXME"
# or if you have jq
export EXTERNAL_URI=$(gcloud run services describe bravo-app --format=json | jq -r .status.url)
echo $EXTERNAL_URI
- Create oauth credentials by clicking "+ New Credentials" then "Oauth client ID".
- Follow the prompt to configure the oauth consent screen first; make it internal, and only fill in required fields.
- You may need select "Credentials" on the left and "+ New Credentials" again
- Select "Web application" for application type
- Run
echo ${EXTERNAL_URI}/auth/redirect
and use the output as an "Authorized redirect URIs" - Note the Client ID and Client Secret
export OAUTH_CLIENT_ID="FIXME"
export OAUTH_CLIENT_SECRET="FIXME"
- Set these env vars on the service
gcloud run services update ${APP_NAME} --update-env-vars "EXTERNAL_URI=${EXTERNAL_URI},OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID},OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}"
- Now you can login to your app!
open ${EXTERNAL_URI}
You can logout by going to ${EXTERNAL_URI}/logout
.
-
Finally verify that only your coworkers have access to the application by trying to login using a Google account that is not part of the Google workspace. You should get a screen from Google that says "Access blocked: can only be used within its organization."
-
You can select and delete the project you just created in Cloud Resource Manager to guarantee you are not billed for any latent resources laying around.