Google App Engine inter module communication authorization (python)

Question

Citing Google App Engine inter module communication authorization the problem I have is that in the Docs (communication between modules) says:

You can configure any manual or basic scaling module to accept requests from other modules in your app by restricting its handler to only allow administrator accounts, specifying login: admin for the appropriate handler in the module's configuration file. With this restriction in place, any URLFetch from any other module in the app will be automatically authenticated by App Engine, and any request that is not from the application will be rejected.

And this is exactly the configuration I have for my module called "api1". In my app.yaml file I have:

# can accept requests from other modules.
# with login: admin and they are authenticated automatically.
- url: /.*
  script: _go_app
  login: admin

I'm trying now, from a different module in the same app, to make a service call as suggested in the doc using urfetch.fetch() method, and my implementation is:

from google.appengine.api import urlfetch, modules, app_identity
from rest_framework.response import Response, status

@api_view(['POST'])
def validate_email(request):
    url = "http://%s/" % modules.get_hostname(module="api1")
    payload = json.dumps({"SOME_KEY":"SOME_VALUE"})

    appid = app_identity.get_application_id()
    result = urlfetch.fetch(url + "emails/validate/document",
                            follow_redirects=False,
                            method=urlfetch.POST,
                            payload=payload,
                            headers={"Content-Type":"application/json")

    return Response({
        'status_code': result.status_code,
        'content': result.content
    }, status=status.HTTP_200_OK)

According to the documentation, having specified the follow_redirects=False, fetch() will automatically insert an header in my call (I've even tried to add it explicitly) with the "X-Appengine-Inbound-Appid" : MY-APP-ID. Unfortunately I get as result of the fetch call a 302 redirect, if I follow it, it's a redirect to the authentication form. This occurs in Development server as well as in Production.

Can you please let me know how can I call my api1 service inside my validate_email method (belonging to a different module in the same app)? Is there another way to authenticate the call since it seems the way suggested inside the documentation is not working?

Thank you

Answer 1

As written here this is a tracked issue now on google appengine public issue tracker. So everyone can go there to check for updates.

In the meanwhile I solved the issue removing the login: admin from the app.yaml and in the handler of my service I've checked manually for the existence of the header X-Appengine-Inbound-Appid and its value.