In my project, I'm combining App Engine and Container Engine services that need to communicate with each other.
The Container Engine service needs to make an authenticated request to my App Engine service. As I've used Application Default Credentials to talk to Google APIs previously, I was thinking I could also use them for my own service.
In App Engine yaml, I've defined the handler with the login restriction like this:
handlers:
- url: /.*
script: _go_app
login: admin
Simplified code to match what is used for making a request:
client, _ := google.DefaultClient(ctx, "https://www.googleapis.com/auth/cloud-platform")
req, _ := http.NewRequest("GET", URL, nil)
client.Do(req)
In IAM permissions, I've granted App Engine Admin permissions to the service account.
However, the result is a 302 which redirects to the Google login page. Does this mean that this setup is not possible or that it's a configuration mistake?
By supplying login: admin
in your app.yaml configuration file, you are telling App Engine to 302 redirect all requests to your '/.*' handler to a log in form. This form will then ask the requester for credentials, and will check the provided credentials again your set IAM Administrators to ensure they are a member of your project.
Since this is Server-to-Server communication using the Application Default Credentials, and not Client-to-Server, you can remove the login: admin
client auth step in your app.yaml for this handler.