Pomerium as Identity Aware Reverse-Proxy for Cloud Run

Support
1

What happened?

I want to use pomerium as an identity aware reverse proxy to one of my cloud run services.
The Authenticate and Authorize flows against Google IDP both work nicely. I get OAuth callback and redirected to upstream.
Upstream (cloud run service with authentication required) then denies access.

In the config.yaml, I am using

pass_identity_headers: true
enable_google_cloud_serverless_authentication: true
google_cloud_serverless_authentication_service_account=<base64 encoded string??>

to make pomerium service authenticate against Cloud Run by a service account.

However I see following errors in the logs:

{"level":"warn","error":"record not found","time":"2024-03-25T12:36:23Z","message":"clearing session due to missing or invalid session or service account"}
{"level":"error","error":"error retrieving google cloud serverless token source: invalid character '\\n' in string literal","time":"2024-03-25T12:36:23Z","message":"error retrieving google cloud serverless headers"}
{"level":"warn","error":"record not found","time":"2024-03-25T12:36:28Z","message":"clearing session due to missing or invalid session or service account"}
{"level":"error","error":"error retrieving google cloud serverless token source: invalid character '\\n' in string literal","time":"2024-03-25T12:36:28Z","message":"error retrieving google cloud serverless headers"}
{"level":"error","error":"error retrieving google cloud serverless token source: invalid character '\\n' in string literal","time":"2024-03-25T12:36:29Z","message":"error retrieving google cloud serverless headers"}

What did you expect to happen?

I was hoping to get access to the underlying cloud run service.
As I cannot see the headers of the requests going upstream (is there a way?), I am not able to debug the pomerium ↔ upstream requests.

Additional context

Using 0.25 via docker on local machine.
To generate the base64 service account credentials, I created a key file on Google Cloud console in the schema below and ran that through base64 encoder on my local machine.

{
  "type": "service_account",
  "project_id": ...
  "private_key_id": ...
  "private_key": "...."
  "client_email": "...",
  "client_id": "...",
  "auth_uri": "...",
  "token_uri": "...",
  "auth_provider_x509_cert_url": "...",
  "client_x509_cert_url": "...",
  "universe_domain": "googleapis.com"
}

Any help very much appreciated!
Thanks in advance.

2

most likely there was an error encoding a service account - the json file might have a newline in the beginning?

1 Like
3

I believe this error occurs during JSON parsing. It indicates the service account has a string with a newline in it:

{
  "key": "value
with
newline"
}
1 Like
4

Thank you for your answer.
I was thinking the same, but what would I do about it? I suppose I need to take the key as it‘s provided by Google. Am I supposed to tinker with the newlines in the json in case it happens to contain any?
And secondly, is the process of encoding the whole json string to base64 correct for the config.yaml parameter
google_cloud_serverless_authentication_service_account=<base64 encoded string??>?

5

Hi,

Newlines in the JSON are ok, they just can’t be in a JSON string literal. I’m not sure how that would’ve happened.

This option also supports embedding the JSON directly. Assuming you’re using YAML:

google_cloud_serverless_authentication_service_account: |
  {
    "type": "service_account",
    "project_id": "pomerium-sandbox-2020q3",
    "private_key_id": "a1df7f3740069feccb3ed32d173e7f777129eb11",
    "private_key": "-----BEGIN PRIVATE KEY-----\nBASE64HERE\n-----END PRIVATE KEY-----\n",
    "client_email": "cloudrun-invoker@pomerium-sandbox-2020q3.iam.gserviceaccount.com",
    "client_id": "115434192173748592038",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cloudrun-invoker%40pomerium-sandbox-2020q3.iam.gserviceaccount.com"
  }
6

Working well, thanks!

Apparently there was some additional formatting characters in the base64. Standard tools like echo added an additional newline at the end every time. I went for reading in the JSON from file via base64 -i credentials.json. Of course one can “debug” by going back-and forth and comparing the base64 decode/encode results.

Thanks for the help.