使用 firebase 身份验证时，Google Cloud API Gateway 无法调用 Cloud Run 服务

Question

我正在使用具有 firebase JWT 授权的 API 网关（以便用户可以使用 google 登录），该网关将请求转发到云运行服务和一项云功能服务。

\n

我的 API 网关配置如下：

\n

swagger: \'2.0\'\ninfo:\n  version: \'1.0.0\'\n  title: \'BFF\'\n  description: Backend For Frontend\nschemes:\n  - https\nsecurity:\n  - firebase: []\nsecurityDefinitions: \n  firebase:\n    authorizationUrl: ""\n    flow: "implicit"\n    type: "oauth2"\n    x-google-issuer: "https://securetoken.google.com/${PROJECT}"\n    x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"\n    x-google-audiences: ${PROJECT}\npaths:\n  /test/auth:\n    post:\n      operationId: testAuth\n      summary: Test auth\n      produces:\n        - application/json\n      x-google-backend:\n        address: https://${REGION}-${PROJECT}.cloudfunctions.net/auth-test\n      responses:\n        \'200\':\n          description: \'Response returns user related data from JWT\'\n  /record/new:\n    post:\n      operationId: crateRecord\n      summary: Create new record\n      x-google-backend:\n        address: ${RUN_SERVICE_URL}:${RUN_SERVICE_PORT}/new\n      produces:\n      - application/json\n      parameters:\n        - in: body\n          name: data\n          description: Data for new record\n          schema:\n            $ref: \'#/definitions/Record\'\n      responses:\n        \'200\':\n          description: New record data\n          schema:\n              $ref: \'#/definitions/Record\'\n        \'400\':\n          description: Invalid input data\n

\n

问题是API网关由于某种原因无法调用云运行服务，但可以调用云函数：

\n

            \xe2\x94\x8d Client is passing authorization token in header\n            |\n            |            \xe2\x94\x8d Auth is successful and request is forwarded to cloud run \n            |            |\n            |            |           \xe2\x94\x8d 401 unauthorized to invoke cloud run\n            |            |           |\n            \xe2\x86\x93            \xe2\x86\x93           \xe2\x86\x93\nClient -----------> API Gateway -----X-----> Cloud run service\n

\n

API Gateway 服务帐户具有以下相关角色：roles/cloudfunctions.invoker、roles/run.invokerroles/iam.serviceAccountUser

\n

运行服务还具有网关服务帐户与角色的 IAM 绑定roles/run.invoker

\n

当我使用/test/auth路由时，我可以看到 firebase 身份验证正在按预期工作，并且我可以毫无问题地触发云函数，并且作为响应，云函数按x-apigateway-api-userinfo预期返回数据。但是当我使用相同的授权令牌发出请求来运行服务路由时，/record/new我得到：

\n

www-authenticate: Bearer error="invalid_token" error_description="The access token could not be verified"\n\n401 Unauthorized\n\nYour client does not have permission to the requested URL /new.\n

\n

我对可能出现的问题已经没有想法了，任何建议都会有帮助。

\n

Answer 1

使用 Cloud Functions，创建的身份令牌会自动包含正确的受众。当您调用 Cloud Run 时，情况并非如此，您必须明确提及 Cloud Run 受众

  /record/new:
    post:
      operationId: crateRecord
      summary: Create new record
      x-google-backend:
        address: ${RUN_SERVICE_URL}:${RUN_SERVICE_PORT}/new
        jwt_audience: ${RUN_SERVICE_URL}

尝试一下，现在应该可以了。