sequenceDiagram
participant Client
participant BFF
participant SA as Invoker Service Account
participant Server
Note over Client,Server: initialize BFF
BFF->>SA: Get ID token
SA-->>BFF: ID token
Note over Client,Server: request from client
Client->>BFF: HTTP/JSON request
BFF->>Server: gRPC request with ID token
Server-->>BFF: gRPC response
BFF->>Client: HTTP/JSON response
- You need to have
- a valid GCP account
- authenticated by
gcloud auth application-default login
- authenticated by
- Docker environment in your local machine
- a valid GCP account
- Deploy server to Cloud Run
PROJECT_ID=xxx make deploy- Remember Cloud Run service domain (exclude
https://from service URL)- e.g.
xxx-yyy.a.run.app
- e.g.
- Create service account
cloud-run-invoker@<PROJECT_ID>.iam.gserviceaccount.com - Grant
roles/run.invokerrole of the deployed Cloud Run app to the above service a ccount - Grant
roles/iam.serviceAccountTokenCreatorof the above service account to your GCP user account- Note that
roles/ownerdoes NOT have permission to impersonate a certain service account (i.e.iam.serviceAccounts.getAccessToken)
- Note that
- Run BFF
CLOUD_RUN_ENDPOINT: The Cloud Run app domainIMPERSONATE_SA_EMAIL: The email address of the above service acccount
make build-bff-image
CLOUD_RUN_ENDPOINT=xxx-yyy.a.run.app IMPERSONATE_SA_EMAIL=cloud-run-invoker@xxx.iam.gserviceaccount.com make run-bff-image- Call service endpoint through BFF
$ curl localhost:8080/v1/hello/sayhello/dtan4
{"message":"Hello, dtan4"}