GCP Authentication Filter

This filter is used to fetch authentication tokens from Google Compute Engine(GCE) metadata server. In a multiple services architecture where the services need to communicate with each other, authenticating service-to-service is needed where services are private and require credentials for access.

Configuration

  • This filter should be configured with the type URL type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig.

The filter configuration v3 API reference has three fields:

  • http_uri specifies the HTTP URI for fetching the from Google Compute Engine(GCE) Metadata Server. The URL format is http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]. The AUDIENCE field is provided by configuration, please see more details below.

  • retry_policy specifies the retry policy if fetching tokens failed. This field is optional. If it is not configured, the filter will be fail-closed (i.e., reject the requests).

  • cache_config specifies the configuration for the token cache which is used to avoid duplicated queries to GCE metadata server for the same request.

The audience configuration v3 API reference is the URL of the destination service, which is the receiving service that the calling service is invoking. This information is provided through cluster’s metadata field Metadata

The token cache configuration v3 API reference is used to avoid redundant queries to the authentication server (GCE metadata server in the context of this filter) for duplicated tokens.

Configuration example

Resource configuration example:

37  clusters:
38  - name: cluster_0
39    # Cluster for fake destination service which has typed metadata that contains the audience information.
40    load_assignment:
41      cluster_name: cluster_0
42      endpoints:
43      - lb_endpoints:
44        - endpoint:
45            address:
46              socket_address:
47                address: 0.0.0.0
48                port_value: 8000
49    typed_extension_protocol_options:
50      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
51        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
52        explicit_http_config:
53          http2_protocol_options:
54            {}
55    metadata:
56      typed_filter_metadata:
57        envoy.filters.http.gcp_authn:
58          "@type": type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.Audience
59          url: http://test.com
60  # Cluster for GCE metadata server
61  - name: gcp_authn
62    type: STRICT_DNS
63    connect_timeout: 5s
64    dns_lookup_family: V4_ONLY
65    load_assignment:
66      cluster_name: "gcp_authn"
67      endpoints:
68      - lb_endpoints:
69        - endpoint:
70            address:
71              socket_address:
72                address: "metadata.google.internal"
73                port_value: 80

HTTP filter configuration example:

 8    - filters:
 9      - name: "http"
10        typed_config:
11          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
12          codec_type: HTTP2
13          stat_prefix: "config_test"
14          route_config:
15            name: "route_config_0"
16            virtual_hosts:
17            - name: "integration"
18              domains: ["*"]
19              routes:
20              - match:
21                  prefix: "/"
22                route:
23                  cluster: "cluster_0"
24          http_filters:
25          - name: "envoy.filters.http.gcp_authn"
26            typed_config:
27              "@type": type.googleapis.com/net.envoy.source.extensions.filters.http.metadata.GcpAuthnFilterConfig
28            http_uri:
29              uri: "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]"
30              cluster: "gcp_authn"
31              timeout:
32                seconds: 10
33          http_filters:
34          - name: envoy.filters.http.router
35            typed_config:
36              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
37  clusters:
38  - name: cluster_0