[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloudtasks: queue-level routing with oidc account/audience override #10304

Closed
robpingxu opened this issue Jun 3, 2024 · 2 comments
Closed

cloudtasks: queue-level routing with oidc account/audience override #10304

robpingxu opened this issue Jun 3, 2024 · 2 comments
Assignees
@noahdietz
Labels
api: cloudtasks Issues related to the Cloud Tasks API. triage me I really want to be triaged.

Comments

@robpingxu
Copy link
robpingxu commented Jun 3, 2024
edited
Loading

Client

cloudtasks

Environment

Image built with alpine running on Cloud Run

Go Environment

$ gcloud version

Google Cloud SDK 478.0.0
beta 2024.05.24
bq 2.1.5
core 2024.05.24
gcloud-crc32c 1.0.0
gsutil 5.29

Code

Note: Anything within <> is a replacement of the actual values.

Updating queue to have queue-level routing

gcloud tasks queues update <queue-name> \
--http-uri-override="mode:ALWAYS,host:<cloud-run-worker-service-host>,path:<worker-path>,port:443" --location="<...>" --project="<...>" \
--http-oidc-service-account-email-override="<service-acount-email>" \
--http-oidc-token-audience-override="https://<cloud-run-worker-service-host>"

Task creation code:

// buildTaskRequest build task request from event and publisher config
func (p *PublisherImpl) buildTaskRequest(env Envelope) (*taskspb.CreateTaskRequest, error) {
	...
	headers := map[string]string{
		"Content-Type": "application/json",
	}

	req := &taskspb.CreateTaskRequest{
		Parent: queuePath,
		Task: &taskspb.Task{
			// https://godoc.org/google.golang.org/genproto/googleapis/cloud/tasks/v2#HttpRequest
			MessageType: &taskspb.Task_HttpRequest{
				HttpRequest: &taskspb.HttpRequest{
					Url:        <irrelevantWorkerUrl>,// this is a different endpoint than what is being defined in the queue-level routing
					HttpMethod: taskspb.HttpMethod_POST,
					Headers:    headers,
					Body:       payload,
					AuthorizationHeader: &taskspb.HttpRequest_OidcToken{
						OidcToken: &taskspb.OidcToken{
							ServiceAccountEmail: "<service-acount-email>",// this is the same as what was defined on the queue-level routing
						},
					},
				},
			},
		},
	}

	return req, nil
}

// publish event to Cloud Tasks
func (p *PublisherImpl) publish(ctx context.Context, ee Envelope) error {
	req, err := p.buildTaskRequest(ee)
	if err != nil {
		return err
	}

	createdTask, err := p.cloudTaskClient.CreateTask(context.Background(), req)
	if err != nil {
		return err
	}

	...

	return nil
}

Expected behavior

We expect the irrelevantWorkerUrl being set during task creation to not matter and have our tasks routed and authenticated using the values set on the queue.

Actual behavior

Everything set as part of URI Override works perfectly.

However, the JWT being created for the service account has an audience that matches irrelevantWorkerUrl.

So our worker service refuses to accept the request because the audience on the token is irrelevantWorkerUrl instead of the https://<cloud-run-worker-service-host> that we set on the queue.

We can get the code working if we pass cloud-run-worker-service-host as the audience or as the worker url, but that defeats our goal of using queue-level routing.

When checking the queue, everything looks correct.

gcloud tasks queues describe 

httpTarget:
  oidcToken:
    audience: https://<cloud-run-worker-service-host>
    serviceAccountEmail: <service-acount-email>
  uriOverride:
    host: <cloud-run-worker-service-host>
    pathOverride:
      path: <worker-path>
    port: '443'
    queryOverride: {}
    scheme: HTTPS
    uriOverrideEnforceMode: ALWAYS

Additional context

The whole reason we want to use queue-level routing is so we don't have to pass the worker service's host to all the places where we create tasks.

I am not sure if this feature is out of beta but I see the options documented here without any indication that it is a beta feature.

https://cloud.google.com/sdk/gcloud/reference/tasks/queues/create
https://cloud.google.com/sdk/gcloud/reference/tasks/queues/update
https://cloud.google.com/tasks/docs/configuring-queues#gcloud

For this test, we are using existing golang code for creating tasks but we generated a new queue with queue-level routing.

We also tried creating tasks using gcloud:

gcloud tasks create-http-task --queue=<queue-name> --url=<irrelevantWorkerUrl> --oidc-service-account-email="<service-acount-email>"

Same result where the audience is irrelevantWorkerUrl

We also tried creating tasks using golang code and gcloud where we don't pass a service-account. In those cases, a token does not get generated at all.

Maybe we are misunderstanding what --http-oidc-token-audience-override is supposed to do, but so far, it doesn't seem like it does anything.
@robpingxu robpingxu added the triage me I really want to be triaged. label Jun 3, 2024
@product-auto-label product-auto-label bot added the api: cloudtasks Issues related to the Cloud Tasks API. label Jun 3, 2024
@codyoss
Copy link
Member
codyoss commented Jun 3, 2024

I am not an expert on cloudtasks but this seems intentional from the docs: "Audience to be used when generating OIDC token. If not specified, the URI specified in target will be used."

This issue track primary deals with issue in the client libraries themseleves and not the services. I would recommend reaching out via a support contract and/or cloudtasks support page. Sorry I can't be of more help.

@codyoss codyoss closed this as completed Jun 3, 2024
@robpingxu
Copy link
Author

@codyoss

Not a problem. I actually also did reach out to support just incase the issue is with the service, but was worried that the client was doing something that was interfering with the oidc audience overwrite setting on the queue.

At this point, I can't tell what the problem lies. The doc explanation made perfect sense before queue-level routing was a thing. But now, I am worried that the behavior is causing problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@noahdietz noahdietz

Labels
api: cloudtasks Issues related to the Cloud Tasks API. triage me I really want to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@codyoss @noahdietz @robpingxu