TechQA.

Google Cloud Run Service connection timeout when trying to call Auth0 OpenID configuration endpoint

1.7k views Asked by At

I created a backend service that connects to the Auth0 oauth2 endpoint. When testing all of this locally on localhost it works fine with the provided configurations. However as soon as I deploy the backend service to Google Cloud Run it fails to work because the configuration endpoint is having a connection timeout.

Here is the error log:

Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://myproject.eu.auth0.com/.well-known/openid-configuration": Connection timed out (Connection timed out); nested exception is java.net.ConnectException: Connection timed out (Connection timed out)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:785)
    at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:670)
    at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:150)
    ... 77 common frames omitted

Here is my Cloud Run service configuration:

  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    entrypoint: gcloud
    args:
      - 'alpha'
      - 'run'
      - 'deploy'
      - 'foo-service'
      - '--image=eu.gcr.io/$PROJECT_ID/foo-service:$BUILD_ID'
      - '--concurrency=80'
      - '--cpu=2'
      - '--memory=512Mi'
      - '--region=europe-west4'
      - '--min-instances=1'
      - '--max-instances=2'
      - '--platform=managed'
      - '--port=8080'
      - '--timeout=3000'
      - '--set-env-vars=SQL_CONNECTION=10.113.160.3, SQL_USER=root, SQL_PASSWORD=root, SQL_DATABASE=dev'
      - '--set-env-vars=LOG_LEVEL=debug'
      - '--ingress=internal'
      - '--allow-unauthenticated'
      - '--vpc-connector=cloud-run'
      - '--vpc-egress=all-traffic'

I guess the important part here is the --vpc-egress=all-traffic option so I am sure that the service is able to communicate to the outside.

However the Ingress is configured to --ingress=internal. Might this be a problem? I thought when I have an egress defined and there is a request being launched through that - that it will receive the response through that channel again and it should not be routed through the ingress and therefore be blocked by its policies?

Edit #1 Removing the ingress=internal option did not seem to work. I guess it's because it's being disabled by default if an egress is defined.

auth0 google-cloud-run egress
Original Q&A
1

There are 1 answers

4
jackdbd On BEST ANSWER

The option --vpc-egress=all-traffic means that all traffic originating from your Cloud Run service goes through the VPC connector you called cloud-run. If you use that option, I don't think you can reach your Auth0 endpoint at https://myproject.eu.auth0.com/.well-known/openid-configuration. That's why the connection Cloud Run service => Auth0 times out.

I guess you need the VPC connector to connect to the private IP of your Cloud SQL instance. So only the traffic from your Cloud Run service to your Cloud SQL instance's private IP should go through the VPC connector. I think you can achieve this by using --vpc-egress=private-ranges-only instead.

Also, by setting --ingress=internal you are saying that your Cloud Run service can only be called within your VPC network. This means that Auth0 won't be able to call your Cloud Run service.

Related Questions in AUTH0

Related Questions in GOOGLE-CLOUD-RUN

Related Questions in EGRESS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions