If one services wants to communicate with another service in Google Cloud, it’s required to set a “Authorization” header in the request.
Ofcourse prior to the above, it’s expected that you configure the receiving service to accept requests from the calling service by making the calling service’s service account a principal on the receiving service.
If you’re not setting the “Authorization” header, you’ll likely run in a 403.
$ curl -I 10.0.0.2 HTTP/1.1 403 Forbidden date: Sun, 11 Sep 2022 18:00:50 GMT content-type: text/html; charset=UTF-8 server: Google Frontend content-length: 295 via: 1.1 google
Our receiving service is expecting a Google-signed OpenID Connect ID token as part of the request.
Using gcloud auth print-identity-token we can fetch a Google-signed ID token for the specified account (I’m using the underlying service account of the Compute Engine instance in the below example).
$ curl -I -H "Authorization: Bearer $(gcloud auth print-identity-token)" 10.0.0.2 HTTP/1.1 200 OK content-type: text/html; charset=utf-8 date: Sun, 11 Sep 2022 18:01:20 GMT server: Google Frontend via: 1.1 google transfer-encoding: chunked
Learn more on Cloud Run service-to-service authentication here.