Local proxy for authenticating requests to Cloud Run

Overview

Cloud Run Proxy

Cloud Run Proxy is a small proxy to assist in authenticating as an end-user to Google Cloud Run. It leverages Cloud Run's existing Cloud IAM integration to handle access.

By default, users with the Cloud Run Invoker role (roles/run.invoker) have permission to call services. This is demonstrated multiple times in the Cloud Run documentation:

curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" https://my-service.a.run.app/

This works great for stateless API calls, but what if you have a semi-long-running service or a web interface to access via the browser? This is where Cloud Run Proxy can help!

Cloud Run Proxy runs a localhost proxy that behaves exactly as if you're calling the URL directly, except that it adds your local user's authentication info (from gcloud).

If you're familiar with the Cloud SQL Proxy, it's like that, but for Cloud Run.

Usage

Note: you must install and authenticated to the Google Cloud SDK (gcloud) for the proxy to pull your authentication token. You local user must also have Cloud Run Invoker permissions on the target service.

  1. Install the proxy:

    go get github.com/sethvargo/cloud-run-proxy
  2. Start the proxy:

    cloud-run-proxy -host https://my-service.a.run.app
  3. Point your browser or curl at http://localhost:8080!

Options

Change the local bind address:

cloud-run-proxy -bind "127.0.0.1:1234"

Obligatory security note: do not bind to 0.0.0.0 or your public IP. Anyone on your network would then be able to access your service unauthenticated. Always bind to a loopback.

Override the token (useful if you don't have gcloud installed):

cloud-run-proxy -token "yc..."
Comments
  • Forbidden with Application Default Credentials

    Forbidden with Application Default Credentials

    Hello,

    This isn't working for me when using only ADC

    I just get "Forbidden".

    I tried this patch:

    diff --git a/main.go b/main.go
    index 8577665..41ddc8c 100644
    --- a/main.go
    +++ b/main.go
    @@ -280,6 +280,8 @@ func (s *idTokenFromDefaultTokenSource) Token() (*oauth2.Token, error) {
                    return nil, fmt.Errorf("missing id_token")
            }
     
    +       fmt.Println(idToken)
    +
            return &oauth2.Token{
                    AccessToken: idToken,
                    Expiry:      token.Expiry,
    

    And when it outputs the token it is trying to use, when decoded, the aud value (audience) is:

    764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com

    I believe this is the client_id for the gcloud tool itself?

    But it doesn't look like Cloud Run is accepting that token.

    I've checked and my colleagues can replicate.

    Regards, iamacarpet

    opened by iamacarpet 4
  • go install @latest does not install latest

    go install @latest does not install latest

    running

    go install github.com/GoogleCloudPlatform/[email protected]
    

    Does not install the latest source code - it does not include the -server-up-time arg added in 6c0fc2d5f4998bf8f38ee44a1321b787887fe9ec

    Please can you add a new release tag to fix this.

    $ go install github.com/GoogleCloudPlatform/[email protected]
    go: downloading github.com/GoogleCloudPlatform/cloud-run-proxy v0.2.0
    ...
    $ go/bin/cloud-run-proxy -help
    Usage of go/bin/cloud-run-proxy:
      -audience string
            override JWT audience value (aud)
      -bind string
            local host:port on which to listen (default "127.0.0.1:8080")
      -host string
            Cloud Run host for which to proxy
      -prepend-user-agent
            prepend a custom User-Agent header to requests (default true)
      -token string
            override OIDC token
    
    opened by nielm 2
  • Add support for pulling ID Tokens from the metadata server

    Add support for pulling ID Tokens from the metadata server

    This adds support for cloud-run-proxy to pull ID Tokens from the metadata server instead of always assuming gcloud. This means it will work on a GCE VM or Cloud Run service.

    However, this requires a user to specify an audience value for the JWT. When using the gcloud token, Cloud Run trusts the gcloud client IDs as valid aud values, but the only truly accepted value is the URL of the server. That's fine - we have the URL of the service because we need it to proxy, but it does introduce an edge case where a Cloud Run service is fronted by a Load Balancer and the Load Balancer is serving a vanity URL. In this case, the user must specify the "host" value as the Load Balancer DNS entry, but the "audience" value must be the .run.app URL.

    opened by sethvargo 2
  • Feature Request: Refresh token on expiry (or quit!)

    Feature Request: Refresh token on expiry (or quit!)

    The requested token expires after 1hr normally. The tool knows this expire time, but will continue running.

    If the tool could refresh the token automatically on expiry, or quit so that it could be relaunched automatically, then this would be a great additional feature.

    Workaround:

    while true ; do 
       ./cloud-run-proxy \
           -host "${SERVER_HOST}"  \
           -bind "127.0.0.1:8001" \
           -server-up-time 50m
    done &
    
    opened by nielm 1
  • Feature request: command line flag to use access token instead of identity token

    Feature request: command line flag to use access token instead of identity token

    Another use of this tool is to as an authentication proxy to cloud storage, but this requires the access-token instead of the authentication token.

    This is useful to point 3rd party tools that use unauthenticated HTTP access to URLs to a Cloud Storage Bucket.

    (for example a local cache of a external site)

    Example usage (with workaround using gcloud auth)

    cloud-run-proxy \
           -host https://storage.googleapis.com/  \
           -token  "$(gcloud auth print-access-token)" \
           -bind "127.0.0.1:8001" \
           -server-up-time 50m
    
    curl -L "http://localhost:8001/${BUCKET_NAME}/${OBJECT_PATH}" -o object_name
    
    opened by nielm 1
  • Handle redirection properly

    Handle redirection properly

    Problem: At the moment if a proxied cloudrun service attempts to redirect with absolute url (location header = https://xxx.run.app/xxx), the redirection would fail because it will no longer go through the proxy.

    opened by yolocs 1
  • Change installation step to go install @latest

    Change installation step to go install @latest

    If I don't have the repo cloned, running go get github.com/GoogleCloudPlatform/cloud-run-proxy results into the following:

    [email protected] ~/GitHub> go get github.com/GoogleCloudPlatform/cloud-run-proxy                                                                                                                                                                                                                                          (base) 
    go: go.mod file not found in current directory or any parent directory.
            'go get' is no longer supported outside a module.
            To build and install a command, use 'go install' with a version,
            like 'go install example.com/[email protected]'
            For more information, see https://golang.org/doc/go-get-install-deprecation
            or run 'go help get' or 'go help install'.
    [email protected] ~/GitHub [1]>                         
    

    As as user I would preferably see a go install reference to avoid having to clone the repo.

    opened by bschaatsbergen 0
Releases(v0.3.0)
Owner
Seth Vargo
Engineer @google
Seth Vargo
A very simple HTTP reverse proxy that checks that requests contain a valid secret as a bearer token

bearproxy -- Authorization enforcing HTTP reverse proxy Bearproxy is a very simple HTTP reverse proxy that checks that requests contain a valid secret

Tv 1 Nov 11, 2021
Dbt-postgres-proxy - Proxy server which intercepts and compiles dbt queries on the fly

dbt-postgres-proxy A reverse proxy for postgres which compiles queries in flight

Alexander Butler 4 Mar 4, 2022
An authentication proxy for Google Cloud managed databases

db-auth-gateway An authentication proxy for Google Cloud managed databases. Based on the ideas of cloudsql-proxy but intended to be run as a standalon

null 25 Jun 1, 2022
Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Paul Greenberg 643 Nov 27, 2022
Run multiple auth functions by relation

Relation Run multiple auth functions by relation. Signatures func New(relation string, conditions ...func(c *fiber.Ctx) bool) fiber.Handler Import imp

Eren BALCI 4 Oct 31, 2021
Cocos2d-x texture unpacker, primarily for Cookie Run.

boofunpack Cocos2d-x texture unpacker, primarily for Cookie Run: OvenBreak and Cookie Run for Kakao/LINE (though it likely works for other .plist form

null 3 Oct 11, 2022
A reverse proxy that provides authentication with Google, Github or other providers.

A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group.

OAuth2 Proxy 6.1k Nov 27, 2022
The mep-agent module provides proxy services for 3rd applications to MEP.

Mep-Agent Introduction Mep-Agent is a middleware that provides proxy services for third-party apps. It can help apps, which do not implement the ETSI

EdgeGallery 21 Mar 9, 2022
A reverse proxy that provides authentication with Google, Github or other providers.

A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain

OAuth2 Proxy 6.1k Nov 21, 2022
A proxy that authorizes and enforces a given label in a given PromQL query

prom-authzed-proxy prom-authzed-proxy is a proxy for Prometheus that authorizes the request's Bearer Token with Authzed and enforces a label in a Prom

authzed 30 Jul 19, 2022
Simple tool to download files or web-pages with proxy-support and hardened crypto-algorithms

VBDownloader (with proxy-support behind firewall) Simple tool to download files or web-pages with proxy-support and hardened crypto-algorithms. This t

landsh.de 0 Dec 28, 2021
A simple passwordless proxy authentication middleware using email.

email proxy auth A simple passwordless proxy authentication middleware that uses only email as the authentication provider. Motivation I wanted to res

Miroslav Šedivý 5 Jul 27, 2022
A standalone reverse-proxy to enforce Webauthn authentication

A standalone reverse-proxy to enforce Webauthn authentication. It can be inserted in front of sensitive services or even chained with other proxies (e

Quiq Labs 72 Nov 12, 2022
Authenticating using Workload Identity Federation to Cloud Run, Cloud Functions

Authenticating using Workload Identity Federation to Cloud Run, Cloud Functions This tutorial and code samples cover how customers that use Workload i

null 2 Oct 21, 2022
This is a SSH CA that allows you to retrieve a signed SSH certificate by authenticating to Duo.

github-duo-ssh-ca Authenticate to GitHub Enterprise in a secure way by requiring users to go through a Duo flow to get a short-lived SSH certificate t

Niels Hofmans 8 Jan 7, 2022
provide api for cloud service like aliyun, aws, google cloud, tencent cloud, huawei cloud and so on

cloud-fitter 云适配 Communicate with public and private clouds conveniently by a set of apis. 用一套接口,便捷地访问各类公有云和私有云 对接计划 内部筹备中,后续开放,有需求欢迎联系。 开发者社区 开发者社区文档

null 23 May 8, 2022
Example of how to write reverse proxy in Go that runs on Cloud Run with Tailscale

Cloudrun Tailscale Reverse Proxy Setup Create a ephemeral key in Tailscale Set TAILSCALE_AUTHKEY in your Cloud Run environment variables Set TARGET_UR

ThreeComma.io 12 Nov 3, 2022
Contentrouter - Protect static content via Firebase Hosting with Cloud Run and Google Cloud Storage

contentrouter A Cloud Run service to gate static content stored in Google Cloud

G. Hussain Chinoy 0 Jan 2, 2022
A server that proxies requests and uses fhttp & my fork of CycleTLS to modify your clienthello and prevent your requests from being fingerprinted.

TLS-Fingerprint-API A server that proxies requests and uses my fork of CycleTLS & fhttp (fork of net/http) to prevent your requests from being fingerp

null 171 Nov 17, 2022
stratus is a cross-cloud identity broker that allows workloads with an identity issued by one cloud provider to exchange this identity for a workload identity issued by another cloud provider.

stratus stratus is a cross-cloud identity broker that allows workloads with an identity issued by one cloud provider to exchange this identity for a w

robert lestak 1 Dec 26, 2021