GCP authentication (proto)

This extension has the qualified name envoy.filters.http.gcp_authn

Note

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.

Tip

This extension extends and can be used with the following extension category:

This extension must be configured with one of the following type URLs:

GCP authentication configuration overview.

extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig

[extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig proto]

Filter configuration.

{
  "http_uri": {...},
  "retry_policy": {...},
  "cache_config": {...},
  "token_header": {...}
}
http_uri

(config.core.v3.HttpUri, REQUIRED) The HTTP URI to fetch tokens from GCE Metadata Server(https://cloud.google.com/compute/docs/metadata/overview). The URL format is “http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]”

retry_policy

(config.core.v3.RetryPolicy) Retry policy for fetching tokens. This field is optional. If it is not configured, the filter will be fail-closed (i.e., reject the requests).

cache_config

(extensions.filters.http.gcp_authn.v3.TokenCacheConfig) Token cache configuration. This field is optional.

token_header

(extensions.filters.http.gcp_authn.v3.TokenHeader) Request header location to extract the token. By default (i.e. if this field is not specified), the token is extracted to the Authorization HTTP header, in the format “Authorization: Bearer <token>”.

extensions.filters.http.gcp_authn.v3.Audience

[extensions.filters.http.gcp_authn.v3.Audience proto]

Audience is the URL of the receiving service that performs token authentication. It will be provided to the filter through cluster’s typed_filter_metadata.

{
  "url": ...
}
url

(string, REQUIRED)

extensions.filters.http.gcp_authn.v3.TokenCacheConfig

[extensions.filters.http.gcp_authn.v3.TokenCacheConfig proto]

Token Cache configuration.

{
  "cache_size": {...}
}
cache_size

(UInt64Value) The number of cache entries. The maximum number of entries is INT64_MAX as it is constrained by underlying cache implementation. Default value 0 (i.e., proto3 defaults) disables the cache by default. Other default values will enable the cache.

extensions.filters.http.gcp_authn.v3.TokenHeader

[extensions.filters.http.gcp_authn.v3.TokenHeader proto]

{
  "name": ...,
  "value_prefix": ...
}
name

(string, REQUIRED) The HTTP header’s name.

value_prefix

(string) The header’s prefix. The format is “value_prefix<token>” For example, for “Authorization: Bearer <token>”, value_prefix=”Bearer “ with a space at the end.