1

I have a Cloud Run service running with authenticated requests turned on. I've created a domain mapping using Load Balancing to point a subdomain to the container.

I have been sending requests to the direct container url without any problems.

import os
from google.oauth2 import service_account
import google.auth.transport.requests
import google.oauth2.id_token
import requests

os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = 'service-account.json'
audience = "https://app-id.a.run.app"

request = google.auth.transport.requests.Request()
id_token = google.oauth2.id_token.fetch_id_token(request, audience)

requests.post(
    audience + "/job",
    headers={'Authorization': f"Bearer {id_token}"},
)

My service account has the Cloud Run Invoker permission and requests get authenticated fine.

The domain mapping is configured to the right Cloud Run service & region. enter image description here

Why is it that when I change audience to my subdomain and send the request, I'm not authenticated?

Edit: The subdomain is correctly pointing at the container and requests are being logged.

Improve this question

1 Answer 1

Reset to default
1

By default, Cloud Run accepts only the default Cloud Run URL (*.run.app) as audience.

When you use a custom domain, or a Load Balancer, it does not make sense for the client to add a strange audience instead of the real domain name.

That's why, the Cloud Run custom audience feature has been released!

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you! I've updated my services :-)

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.