GCP Authentication Filter
This filter is used to fetch authentication tokens from Google Compute Engine(GCE) metadata server. In a multiple services architecture where the services need to communicate with each other, authenticating service-to-service is needed where services are private and require credentials for access.
Configuration
This filter should be configured with the type URL
type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig
.
The filter configuration v3 API reference has three fields:
http_uri
specifies the HTTP URI for fetching the from Google Compute Engine(GCE) Metadata Server. The URL format ishttp://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]
. TheAUDIENCE
field is provided by configuration, please see more details below.retry_policy
specifies the retry policy if fetching tokens failed. This field is optional. If it is not configured, the filter will be fail-closed (i.e., reject the requests).cache_config
specifies the configuration for the token cache which is used to avoid duplicated queries to GCE metadata server for the same request.
The audience configuration v3 API reference is the URL of the destination service, which is the receiving service that the calling service is invoking. This information is provided through cluster’s metadata field Metadata
The token cache configuration v3 API reference is used to avoid redundant queries to the authentication server (GCE metadata server in the context of this filter) for duplicated tokens.
Configuration example
Resource configuration example:
37 clusters:
38 - name: cluster_0
39 # Cluster for fake destination service which has typed metadata that contains the audience information.
40 load_assignment:
41 cluster_name: cluster_0
42 endpoints:
43 - lb_endpoints:
44 - endpoint:
45 address:
46 socket_address:
47 address: 0.0.0.0
48 port_value: 8000
49 typed_extension_protocol_options:
50 envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
51 "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
52 explicit_http_config:
53 http2_protocol_options:
54 {}
55 metadata:
56 typed_filter_metadata:
57 envoy.filters.http.gcp_authn:
58 "@type": type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.Audience
59 url: http://test.com
60 # Cluster for GCE metadata server
61 - name: gcp_authn
62 type: STRICT_DNS
63 connect_timeout: 5s
64 dns_lookup_family: V4_ONLY
65 load_assignment:
66 cluster_name: "gcp_authn"
67 endpoints:
68 - lb_endpoints:
69 - endpoint:
70 address:
71 socket_address:
72 address: "metadata.google.internal"
73 port_value: 80
HTTP filter configuration example:
8 - filters:
9 - name: "http"
10 typed_config:
11 "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
12 codec_type: HTTP2
13 stat_prefix: "config_test"
14 route_config:
15 name: "route_config_0"
16 virtual_hosts:
17 - name: "integration"
18 domains: ["*"]
19 routes:
20 - match:
21 prefix: "/"
22 route:
23 cluster: "cluster_0"
24 http_filters:
25 - name: "envoy.filters.http.gcp_authn"
26 typed_config:
27 "@type": type.googleapis.com/net.envoy.source.extensions.filters.http.metadata.GcpAuthnFilterConfig
28 http_uri:
29 uri: "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]"
30 cluster: "gcp_authn"
31 timeout:
32 seconds: 10
33 http_filters:
34 - name: envoy.filters.http.router
35 typed_config:
36 "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
37 clusters:
38 - name: cluster_0