GCP Authentication Filter
This filter is used to fetch authentication tokens from Google Compute Engine(GCE) metadata server. In a multiple services architecture where the services need to communicate with each other, authenticating service-to-service is needed where services are private and require credentials for access. If there is no authentication token retrieved from the authentication server, the request will be sent to destination service and will be rejected if authenticated token is required.
Configuration
This filter should be configured with the type URL
type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig
.
The filter configuration v3 API reference has three fields:
http_uri
specifies the HTTP URI for fetching the from Google Compute Engine(GCE) Metadata Server. The URL format ishttp://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]
. TheAUDIENCE
field is provided by configuration, please see more details below.retry_policy
specifies the retry policy if fetching tokens failed. This field is optional.cache_config
specifies the configuration for the token cache which is used to avoid duplicated queries to GCE metadata server for the same request.
The audience configuration v3 API reference is the URL of the destination service, which is the receiving service that the calling service is invoking. This information is provided through cluster’s metadata field Metadata.
The token cache configuration v3 API reference is used to avoid redundant queries to the authentication server (GCE metadata server in the context of this filter) for duplicated tokens.
Configuration example
Resource configuration example:
35 clusters:
36 - name: cluster_0
37 # Cluster for fake destination service which has typed metadata that contains the audience information.
38 load_assignment:
39 cluster_name: cluster_0
40 endpoints:
41 - lb_endpoints:
42 - endpoint:
43 address:
44 socket_address:
45 address: 0.0.0.0
46 port_value: 8000
47 typed_extension_protocol_options:
48 envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
49 "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
50 explicit_http_config:
51 http2_protocol_options:
52 {}
53 metadata:
54 typed_filter_metadata:
55 envoy.filters.http.gcp_authn:
56 "@type": type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.Audience
57 url: http://test.com
58 # Cluster for GCE metadata server
59 - name: gcp_authn
60 type: STRICT_DNS
61 connect_timeout: 5s
62 dns_lookup_family: V4_ONLY
63 load_assignment:
64 cluster_name: "gcp_authn"
65 endpoints:
66 - lb_endpoints:
67 - endpoint:
68 address:
69 socket_address:
70 address: "metadata.google.internal"
71 port_value: 80
HTTP filter configuration example:
8 - filters:
9 - name: "http"
10 typed_config:
11 "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
12 codec_type: HTTP2
13 stat_prefix: "config_test"
14 route_config:
15 name: "route_config_0"
16 virtual_hosts:
17 - name: "integration"
18 domains: ["*"]
19 routes:
20 - match:
21 prefix: "/"
22 route:
23 cluster: "cluster_0"
24 http_filters:
25 - name: "envoy.filters.http.gcp_authn"
26 typed_config:
27 "@type": type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig
28 http_uri:
29 uri: "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]"
30 cluster: "gcp_authn"
31 timeout: 10s
32 - name: envoy.filters.http.router
33 typed_config:
34 "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router