I want to be able to invoke a GloudRun endpoint by one of my GKE pods.
When I describe my VMs/instances that comprise my GKE cluster, I see
serviceAccounts:
- email: 873099409230-compute@developer.gserviceaccount.comSo I added the CloudRun Invoker role to the above service account.
I have enabled CloudRun with Authentication Required.
However when I exec to one of my pods and try to curl the endpoint I get 403 (which I also get from my laptop, but the later is expected).
Any suggestions?
Curl don't know Google Cloud security. I mean that cURL don't know how to add the security token to your request. For this, you have to explicitly add the token in the header of your request.
From my computer I use this, because it's my personal account which is defined in Gcloud SDK.
curl -H "Authorization: Bearer $(gcloud config config-helper --format='value(credential.id_token)')" <URL>With a service account defined in gcloud, you can use this command
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" <URL>In both case you have to add the authorization header to your request.
In your code, if you use google libraries, you can use default credential, your default compute service-account will be used. cURL don't know do this!