GCP Authentication Filter

This filter is used to fetch authentication tokens from Google Compute Engine(GCE) metadata server. In a multiple services architecture where the services need to communicate with each other, authenticating service-to-service is needed where services are private and require credentials for access. If there is no authentication token retrieved from the authentication server, the request will be sent to destination service and will be rejected if authenticated token is required.

Configuration

  • This filter should be configured with the type URL type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig.

The filter configuration v3 API reference has three fields:

  • http_uri specifies the HTTP URI for fetching the from Google Compute Engine(GCE) Metadata Server. The URL format is http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]. The AUDIENCE field is provided by configuration, please see more details below.

  • retry_policy specifies the retry policy if fetching tokens failed. This field is optional.

  • cache_config specifies the configuration for the token cache which is used to avoid duplicated queries to GCE metadata server for the same request.

The audience configuration v3 API reference is the URL of the destination service, which is the receiving service that the calling service is invoking. This information is provided through cluster’s metadata field Metadata.

The token cache configuration v3 API reference is used to avoid redundant queries to the authentication server (GCE metadata server in the context of this filter) for duplicated tokens.

Configuration example

Resource configuration example:

35  clusters:
36  - name: cluster_0
37    # Cluster for fake destination service which has typed metadata that contains the audience information.
38    load_assignment:
39      cluster_name: cluster_0
40      endpoints:
41      - lb_endpoints:
42        - endpoint:
43            address:
44              socket_address:
45                address: 0.0.0.0
46                port_value: 8000
47    typed_extension_protocol_options:
48      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
49        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
50        explicit_http_config:
51          http2_protocol_options:
52            {}
53    metadata:
54      typed_filter_metadata:
55        envoy.filters.http.gcp_authn:
56          "@type": type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.Audience
57          url: http://test.com
58  # Cluster for GCE metadata server
59  - name: gcp_authn
60    type: STRICT_DNS
61    connect_timeout: 5s
62    dns_lookup_family: V4_ONLY
63    load_assignment:
64      cluster_name: "gcp_authn"
65      endpoints:
66      - lb_endpoints:
67        - endpoint:
68            address:
69              socket_address:
70                address: "metadata.google.internal"
71                port_value: 80

HTTP filter configuration example:

 8    - filters:
 9      - name: "http"
10        typed_config:
11          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
12          codec_type: HTTP2
13          stat_prefix: "config_test"
14          route_config:
15            name: "route_config_0"
16            virtual_hosts:
17            - name: "integration"
18              domains: ["*"]
19              routes:
20              - match:
21                  prefix: "/"
22                route:
23                  cluster: "cluster_0"
24          http_filters:
25          - name: "envoy.filters.http.gcp_authn"
26            typed_config:
27              "@type": type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig
28              http_uri:
29                uri: "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]"
30                cluster: "gcp_authn"
31                timeout: 10s
32          - name: envoy.filters.http.router
33            typed_config:
34              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router