If one services wants to communicate with another service in Google Cloud, it’s required to set a “Authorization” header in the request.

Ofcourse prior to the above, it’s expected that you configure the receiving service to accept requests from the calling service by making the calling service’s service account a principal on the receiving service.

If you’re not setting the “Authorization” header, you’ll likely run in a 403.

$ curl -I 10.0.0.2
HTTP/1.1 403 Forbidden
date: Sun, 11 Sep 2022 18:00:50 GMT
content-type: text/html; charset=UTF-8
server: Google Frontend
content-length: 295
via: 1.1 google

Our receiving service is expecting a Google-signed OpenID Connect ID token as part of the request.

Using gcloud auth print-identity-token we can fetch a Google-signed ID token for the specified account (I’m using the underlying service account of the Compute Engine instance in the below example).

$ curl -I -H "Authorization: Bearer $(gcloud auth print-identity-token)" 10.0.0.2
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
date: Sun, 11 Sep 2022 18:01:20 GMT
server: Google Frontend
via: 1.1 google
transfer-encoding: chunked

Learn more on Cloud Run service-to-service authentication here.