GCP authentication (proto)

This extension has the qualified name envoy.filters.http.gcp_authn

Note

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.

Tip

This extension extends and can be used with the following extension category:

envoy.filters.http

This extension must be configured with one of the following type URLs:

type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig

GCP authentication configuration overview.

extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig

[extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig proto]

Filter configuration.

{
  "http_uri": {...},
  "retry_policy": {...},
  "cache_config": {...},
  "token_header": {...},
  "cluster": ...,
  "timeout": {...}
}

http_uri

(config.core.v3.HttpUri) The HTTP URI to fetch tokens from GCE Metadata Server(https://cloud.google.com/compute/docs/metadata/overview). The URL format is “http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]”

This field is deprecated because it does not match the API surface provided by the google auth libraries. Control planes should not attempt to override the metadata server URI. The cluster and timeout can be configured using the cluster and timeout fields instead. For backward compatibility, the cluster and timeout configured in this field will be used if the new cluster and timeout fields are not set.

retry_policy: (config.core.v3.RetryPolicy) Retry policy for fetching tokens. Not supported by all data planes.

cache_config: (extensions.filters.http.gcp_authn.v3.TokenCacheConfig) Token cache configuration. This field is optional.

token_header: (extensions.filters.http.gcp_authn.v3.TokenHeader) Request header location to extract the token. By default (i.e. if this field is not specified), the token is extracted to the Authorization HTTP header, in the format “Authorization: Bearer <token>”. Not supported by all data planes.

cluster: (string) Cluster to send traffic to the GCE metadata server. Not supported by all data planes; a data plane may instead have its own mechanism for contacting the metadata server.

timeout: (Duration) Timeout for fetching the tokens from the GCE metadata server. Not supported by all data planes.

extensions.filters.http.gcp_authn.v3.Audience

[extensions.filters.http.gcp_authn.v3.Audience proto]

Audience is the URL of the receiving service that performs token authentication. It will be provided to the filter through cluster’s typed_filter_metadata.

{
  "url": ...
}

url: (string, REQUIRED)

extensions.filters.http.gcp_authn.v3.TokenCacheConfig

[extensions.filters.http.gcp_authn.v3.TokenCacheConfig proto]

Token Cache configuration.

{
  "cache_size": {...}
}

cache_size: (UInt64Value) The number of cache entries. The maximum number of entries is INT64_MAX as it is constrained by underlying cache implementation. Default value 0 (i.e., proto3 defaults) disables the cache by default. Other default values will enable the cache.

extensions.filters.http.gcp_authn.v3.TokenHeader

[extensions.filters.http.gcp_authn.v3.TokenHeader proto]

{
  "name": ...,
  "value_prefix": ...
}

name: (string, REQUIRED) The HTTP header’s name.

value_prefix: (string) The header’s prefix. The format is “value_prefix<token>” For example, for “Authorization: Bearer <token>”, value_prefix=”Bearer “ with a space at the end.