diff --git a/README.md b/README.md
index 2bc8f6b..22cf805 100644
--- a/README.md
+++ b/README.md
@@ -15,9 +15,7 @@ This README is organized into four parts:
Tag Engine v2 comes with two Cloud Run services. One service is for the API (`tag-engine-api`) and the other is for the UI (`tag-engine-ui`).
-The Cloud Run API service uses Bearer token headers for authentication.
-
-The Cloud Run UI service uses OAuth for authentication. It also uses the OAuth client's credentials (`client_secret.json`) for impersonation.
+Both services use access tokens for authorization. The API service expects the client to pass in an access token when calling the API functions whereas the UI service uses OAuth to authorize the client from the front end. The client secret file is required for the OAuth flow.
Follow the 6 steps below to deploy Tag Engine v2 with Terraform and without a load balancer.
diff --git a/deploy/external_load_balancer/cloud_run.tf b/deploy/external_load_balancer/cloud_run.tf
index 054976c..548a052 100644
--- a/deploy/external_load_balancer/cloud_run.tf
+++ b/deploy/external_load_balancer/cloud_run.tf
@@ -57,8 +57,15 @@ resource "google_cloud_run_v2_service" "api_service" {
}
containers {
- image = null_resource.build_api_image.triggers.full_image_path
- }
+ image = null_resource.build_api_image.triggers.full_image_path
+
+ resources {
+ limits = {
+ memory = "1024Mi"
+ }
+ cpu_idle = true
+ }
+ }
}
depends_on = [null_resource.build_api_image]
}
@@ -126,9 +133,16 @@ resource "google_cloud_run_v2_service" "ui_service" {
}
containers {
-
- image = null_resource.build_ui_image.triggers.full_image_path
+ image = null_resource.build_ui_image.triggers.full_image_path
+
+ resources {
+ limits = {
+ memory = "1024Mi"
+ }
+ cpu_idle = true
+ }
}
+
vpc_access {
connector = google_vpc_access_connector.connector.id
egress = "PRIVATE_RANGES_ONLY"
diff --git a/deploy/external_load_balancer/iam_bindings.tf b/deploy/external_load_balancer/iam_bindings.tf
index ae25fd6..9189491 100644
--- a/deploy/external_load_balancer/iam_bindings.tf
+++ b/deploy/external_load_balancer/iam_bindings.tf
@@ -148,7 +148,7 @@ resource "google_project_iam_binding" "PolicyTagReader" {
}
resource "google_project_iam_binding" "BigQuerySchemaUpdate" {
- project = var.tag_engine_project
+ project = var.bigquery_project
role = "projects/${var.bigquery_project}/roles/BigQuerySchemaUpdate"
members = ["serviceAccount:${var.tag_creator_sa}"]
depends_on = [google_project_service.tag_engine_project]
diff --git a/deploy/external_load_balancer/task_queues.tf b/deploy/external_load_balancer/task_queues.tf
index a44ce0b..10bf9b3 100644
--- a/deploy/external_load_balancer/task_queues.tf
+++ b/deploy/external_load_balancer/task_queues.tf
@@ -33,7 +33,7 @@ resource "google_cloud_tasks_queue" "work_queue" {
}
retry_config {
- max_attempts = 1
+ max_attempts = 2
}
stackdriver_logging_config {
diff --git a/deploy/without_load_balancer/cloud_run.tf b/deploy/without_load_balancer/cloud_run.tf
index f653f8e..20aa2ee 100644
--- a/deploy/without_load_balancer/cloud_run.tf
+++ b/deploy/without_load_balancer/cloud_run.tf
@@ -6,7 +6,6 @@ resource "google_artifact_registry_repository" "image_registry" {
depends_on = [google_project_service.tag_engine_project]
}
-
# ************************************************************ #
# Create the Cloud Run API service
# ************************************************************ #
@@ -57,8 +56,15 @@ resource "google_cloud_run_v2_service" "api_service" {
}
containers {
- image = null_resource.build_api_image.triggers.full_image_path
- }
+ image = null_resource.build_api_image.triggers.full_image_path
+
+ resources {
+ limits = {
+ memory = "1024Mi"
+ }
+ cpu_idle = true
+ }
+ }
}
depends_on = [null_resource.build_api_image]
}
@@ -118,9 +124,15 @@ resource "google_cloud_run_v2_service" "ui_service" {
}
containers {
-
- image = null_resource.build_ui_image.triggers.full_image_path
- }
+ image = null_resource.build_ui_image.triggers.full_image_path
+
+ resources {
+ limits = {
+ memory = "1024Mi"
+ }
+ cpu_idle = true
+ }
+ }
}
depends_on = [null_resource.build_ui_image]
}
diff --git a/deploy/without_load_balancer/iam_bindings.tf b/deploy/without_load_balancer/iam_bindings.tf
index ae25fd6..9189491 100644
--- a/deploy/without_load_balancer/iam_bindings.tf
+++ b/deploy/without_load_balancer/iam_bindings.tf
@@ -148,7 +148,7 @@ resource "google_project_iam_binding" "PolicyTagReader" {
}
resource "google_project_iam_binding" "BigQuerySchemaUpdate" {
- project = var.tag_engine_project
+ project = var.bigquery_project
role = "projects/${var.bigquery_project}/roles/BigQuerySchemaUpdate"
members = ["serviceAccount:${var.tag_creator_sa}"]
depends_on = [google_project_service.tag_engine_project]
diff --git a/deploy/without_load_balancer/task_queues.tf b/deploy/without_load_balancer/task_queues.tf
index a44ce0b..10bf9b3 100644
--- a/deploy/without_load_balancer/task_queues.tf
+++ b/deploy/without_load_balancer/task_queues.tf
@@ -33,7 +33,7 @@ resource "google_cloud_tasks_queue" "work_queue" {
}
retry_config {
- max_attempts = 1
+ max_attempts = 2
}
stackdriver_logging_config {
diff --git a/docs/manual_deployment.md b/docs/manual_deployment.md
index 625ff57..8ed57b5 100644
--- a/docs/manual_deployment.md
+++ b/docs/manual_deployment.md
@@ -10,16 +10,16 @@ This procedure deploys the Tag Engine v2 components by hand. The steps are carri
2. Define 6 environment variables which will be used throughout the deployment:
-```
-export TAG_ENGINE_PROJECT="" # GCP project id for running the Tag Engine service
-export TAG_ENGINE_REGION="" # GCP region for running Tag Engine service, e.g. us-central1
+ ```
+ export TAG_ENGINE_PROJECT="" # GCP project id for running the Tag Engine service
+ export TAG_ENGINE_REGION="" # GCP region for running Tag Engine service, e.g. us-central1
-export BIGQUERY_PROJECT="" # GCP project used by BigQuery data assets, can be equal to TAG_ENGINE_PROJECT. This variable is only used for setting IAM permissions in steps 10 and 11
-export BIGQUERY_REGION="" # GCP region in which data assets in BigQuery are stored, e.g. us-central1
+ export BIGQUERY_PROJECT="" # GCP project used by BigQuery data assets, can be equal to TAG_ENGINE_PROJECT. This variable is only used for setting IAM permissions in steps 10 and 11
+ export BIGQUERY_REGION="" # GCP region in which data assets in BigQuery are stored, e.g. us-central1
-export TAG_ENGINE_SA="@.iam.gserviceaccount.com" # email of your Cloud Run service account for running Tag Engine service
-export TAG_CREATOR_SA="@.iam.gserviceaccount.com" # email of your Tag creator service account for running BQ queries and creating DC tags
-```
+ export TAG_ENGINE_SA="@.iam.gserviceaccount.com" # email of your Cloud Run service account for running Tag Engine service
+ export TAG_CREATOR_SA="@.iam.gserviceaccount.com" # email of your Tag creator service account for running BQ queries and creating DC tags
+ ```
The key benefit of decoupling `TAG_ENGINE_SA` from `TAG_CREATOR_SA` is to limit the scope of what a Tag Engine client is allowed to tag. More specifically, when a client submits a request to Tag Engine, Tag Engine checks to see if they are authorized to use `TAG_CREATOR_SA` before processing their request. A Tag Engine client can either be a user identity or a service account.
@@ -39,15 +39,15 @@ If multiple teams want to share an instance of Tag Engine and they own different
4. Open `tagengine.ini` and set the following variables in this file. The first five should be equal to the environment variables you previously set in step 2:
-```
-TAG_ENGINE_PROJECT
-TAG_ENGINE_REGION
-BIGQUERY_REGION
-CLOUD_RUN_ACCOUNT
-TAG_CREATOR_ACCOUNT
-OAUTH_CLIENT_CREDENTIALS
-ENABLE_AUTH
-```
+ ```
+ TAG_ENGINE_PROJECT
+ TAG_ENGINE_REGION
+ BIGQUERY_REGION
+ CLOUD_RUN_ACCOUNT
+ TAG_CREATOR_ACCOUNT
+ OAUTH_CLIENT_CREDENTIALS
+ ENABLE_AUTH
+ ```
A couple of notes:
@@ -60,28 +60,28 @@ ENABLE_AUTH
5. Enable the required Google Cloud APIs in your project:
-`gcloud config set project $TAG_ENGINE_PROJECT`
-
-```
-gcloud services enable iam.googleapis.com
-gcloud services enable cloudresourcemanager.googleapis.com
-gcloud services enable firestore.googleapis.com
-gcloud services enable cloudtasks.googleapis.com
-gcloud services enable datacatalog.googleapis.com
-gcloud services enable artifactregistry.googleapis.com
-gcloud services enable cloudbuild.googleapis.com
-```
+ `gcloud config set project $TAG_ENGINE_PROJECT`
+
+ ```
+ gcloud services enable iam.googleapis.com
+ gcloud services enable cloudresourcemanager.googleapis.com
+ gcloud services enable firestore.googleapis.com
+ gcloud services enable cloudtasks.googleapis.com
+ gcloud services enable datacatalog.googleapis.com
+ gcloud services enable artifactregistry.googleapis.com
+ gcloud services enable cloudbuild.googleapis.com
+ ```
6. Create two task queues, the first one is used to queue the tag request, the second is used to queue the individual work items:
-```
-gcloud tasks queues create tag-engine-injector-queue \
- --location=$TAG_ENGINE_REGION --max-attempts=1 --max-concurrent-dispatches=100
+ ```
+ gcloud tasks queues create tag-engine-injector-queue \
+ --location=$TAG_ENGINE_REGION --max-attempts=1 --max-concurrent-dispatches=100
-gcloud tasks queues create tag-engine-work-queue \
- --location=$TAG_ENGINE_REGION --max-attempts=1 --max-concurrent-dispatches=100
-```
+ gcloud tasks queues create tag-engine-work-queue \
+ --location=$TAG_ENGINE_REGION --max-attempts=1 --max-concurrent-dispatches=100
+ ```
7. Create two custom IAM roles which are required by `SENSITIVE_COLUMN_CONFIG`, a configuration type that creates policy tags on sensitive columns:
@@ -104,91 +104,91 @@ gcloud iam roles create PolicyTagReader \
8. Grant the required IAM roles and policy bindings for the accounts `TAG_ENGINE_SA` and `TAG_CREATOR_SA`:
-```
-gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
- --member=serviceAccount:$TAG_ENGINE_SA \
- --role=roles/cloudtasks.enqueuer
+ ```
+ gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
+ --member=serviceAccount:$TAG_ENGINE_SA \
+ --role=roles/cloudtasks.enqueuer
-gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
- --member=serviceAccount:$TAG_ENGINE_SA \
- --role=roles/cloudtasks.taskRunner
+ gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
+ --member=serviceAccount:$TAG_ENGINE_SA \
+ --role=roles/cloudtasks.taskRunner
-gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
- --member=serviceAccount:$TAG_ENGINE_SA \
- --role=roles/datastore.user
+ gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
+ --member=serviceAccount:$TAG_ENGINE_SA \
+ --role=roles/datastore.user
-gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
- --member=serviceAccount:$TAG_ENGINE_SA \
- --role=roles/datastore.indexAdmin
+ gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
+ --member=serviceAccount:$TAG_ENGINE_SA \
+ --role=roles/datastore.indexAdmin
-gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
- --member=serviceAccount:$TAG_ENGINE_SA \
- --role=roles/run.invoker
-```
-
-```
-gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
- --member=serviceAccount:$TAG_CREATOR_SA \
- --role=roles/datacatalog.tagEditor
-
-gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
- --member=serviceAccount:$TAG_CREATOR_SA \
- --role=roles/datacatalog.tagTemplateUser
+ gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
+ --member=serviceAccount:$TAG_ENGINE_SA \
+ --role=roles/run.invoker
+ ```
+
+ ```
+ gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
+ --member=serviceAccount:$TAG_CREATOR_SA \
+ --role=roles/datacatalog.tagEditor
+
+ gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
+ --member=serviceAccount:$TAG_CREATOR_SA \
+ --role=roles/datacatalog.tagTemplateUser
-gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
- --member=serviceAccount:$TAG_CREATOR_SA \
- --role=roles/datacatalog.tagTemplateViewer
+ gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
+ --member=serviceAccount:$TAG_CREATOR_SA \
+ --role=roles/datacatalog.tagTemplateViewer
-gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
- --member=serviceAccount:$TAG_CREATOR_SA \
- --role=roles/datacatalog.viewer
+ gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
+ --member=serviceAccount:$TAG_CREATOR_SA \
+ --role=roles/datacatalog.viewer
-gcloud projects add-iam-policy-binding $BIGQUERY_PROJECT \
- --member=serviceAccount:$TAG_CREATOR_SA \
- --role=roles/bigquery.dataEditor
+ gcloud projects add-iam-policy-binding $BIGQUERY_PROJECT \
+ --member=serviceAccount:$TAG_CREATOR_SA \
+ --role=roles/bigquery.dataEditor
-gcloud projects add-iam-policy-binding $BIGQUERY_PROJECT \
- --member=serviceAccount:$TAG_CREATOR_SA \
- --role=roles/bigquery.jobUser
-
-gcloud projects add-iam-policy-binding $BIGQUERY_PROJECT \
- --member=serviceAccount:$TAG_CREATOR_SA \
- --role=roles/bigquery.metadataViewer
-
-gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
- --member=serviceAccount:$TAG_CREATOR_SA \
- --role=roles/logging.viewer
-
-gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
- --member=serviceAccount:$TAG_CREATOR_SA \
- --role=projects/$TAG_ENGINE_PROJECT/roles/PolicyTagReader
-
-gcloud projects add-iam-policy-binding $BIGQUERY_PROJECT \
- --member=serviceAccount:$TAG_CREATOR_SA \
- --role=projects/$BIGQUERY_PROJECT/roles/BigQuerySchemaUpdate
-```
-
-```
-gcloud iam service-accounts add-iam-policy-binding $TAG_ENGINE_SA \
- --member=serviceAccount:$TAG_ENGINE_SA --role roles/iam.serviceAccountUser
+ gcloud projects add-iam-policy-binding $BIGQUERY_PROJECT \
+ --member=serviceAccount:$TAG_CREATOR_SA \
+ --role=roles/bigquery.jobUser
+
+ gcloud projects add-iam-policy-binding $BIGQUERY_PROJECT \
+ --member=serviceAccount:$TAG_CREATOR_SA \
+ --role=roles/bigquery.metadataViewer
+
+ gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
+ --member=serviceAccount:$TAG_CREATOR_SA \
+ --role=roles/logging.viewer
+
+ gcloud projects add-iam-policy-binding $TAG_ENGINE_PROJECT \
+ --member=serviceAccount:$TAG_CREATOR_SA \
+ --role=projects/$TAG_ENGINE_PROJECT/roles/PolicyTagReader
+
+ gcloud projects add-iam-policy-binding $BIGQUERY_PROJECT \
+ --member=serviceAccount:$TAG_CREATOR_SA \
+ --role=projects/$BIGQUERY_PROJECT/roles/BigQuerySchemaUpdate
+ ```
+
+ ```
+ gcloud iam service-accounts add-iam-policy-binding $TAG_ENGINE_SA \
+ --member=serviceAccount:$TAG_ENGINE_SA --role roles/iam.serviceAccountUser
-gcloud iam service-accounts add-iam-policy-binding $TAG_CREATOR_SA \
- --member=serviceAccount:$TAG_ENGINE_SA --role=roles/iam.serviceAccountUser
+ gcloud iam service-accounts add-iam-policy-binding $TAG_CREATOR_SA \
+ --member=serviceAccount:$TAG_ENGINE_SA --role=roles/iam.serviceAccountUser
-gcloud iam service-accounts add-iam-policy-binding $TAG_CREATOR_SA \
- --member=serviceAccount:$TAG_ENGINE_SA --role=roles/iam.serviceAccountTokenCreator
-```
+ gcloud iam service-accounts add-iam-policy-binding $TAG_CREATOR_SA \
+ --member=serviceAccount:$TAG_ENGINE_SA --role=roles/iam.serviceAccountTokenCreator
+ ```
Note: If you plan to create tags from CSV files, you also need to ensure that `TAG_CREATOR_SA` has the
`storage.buckets.get` permission on the GCS bucket where the CSV files are stored. To do that, you can create a custom role with
this permission or assign the `storage.legacyBucketReader` role:
-```
-gcloud storage buckets add-iam-policy-binding gs:// \
- --member=serviceAccount:$TAG_CREATOR_SA' \
- --role=roles/storage.legacyBucketReader
-```
+ ```
+ gcloud storage buckets add-iam-policy-binding gs:// \
+ --member=serviceAccount:$TAG_CREATOR_SA' \
+ --role=roles/storage.legacyBucketReader
+ ```
@@ -209,55 +209,75 @@ gcloud alpha firestore databases create --project=$TAG_ENGINE_PROJECT --location
First, you must download a private key for your `$TAG_ENGINE_SA`:
-```
-gcloud iam service-accounts keys create private_key.json --iam-account=$TAG_ENGINE_SA
-export GOOGLE_APPLICATION_CREDENTIALS="private_key.json"
-```
+ ```
+ gcloud iam service-accounts keys create private_key.json --iam-account=$TAG_ENGINE_SA
+ export GOOGLE_APPLICATION_CREDENTIALS="private_key.json"
+ ```
Second, create the composite indexes which are needed for serving multiple read requests:
-```
-cd deploy
-python create_indexes.py $TAG_ENGINE_PROJECT
-cd ..
-```
+ ```
+ pip install google-cloud-firestore
+ cd deploy/external_load_balancer
+ python create_indexes.py $TAG_ENGINE_PROJECT
+ cd ..
+ ```
- Note: the above script is expected to run for 10-12 minutes. As the indexes get created, you will see them show up in the Firestore console. There should be 36 indexes in total.
+ Note: the above script is expected to run for 10-12 minutes. As the indexes get created, you will see them show up in the Firestore console. There should be about 36 indexes.
-
11. Build and deploy the Cloud Run services:
- There is one Cloud Run service for the API and one Cloud Run service for the UI. They are both built from the same code base.
+ There is one service in Cloud Run for the API (tag-engine-api) and another service in Cloud Run for the UI (tag-engine-ui). They are both built from the same code base.
The next two commands require `gcloud beta`. You can install `gcloud beta` by running `gcloud components install beta`.
-```
-gcloud beta run deploy tag-engine-api \
- --source . \
- --platform managed \
- --region $TAG_ENGINE_REGION \
- --no-allow-unauthenticated \
- --ingress=all \
- --service-account=$TAG_ENGINE_SA
-```
-
- The next command requires a VPC access connector. This is used to send requests to your VPC network from Cloud Run using internal DNS and internal IP addresses as opposed to going through the public internet. To create a connector, consult [this page](https://cloud.google.com/vpc/docs/configure-serverless-vpc-access#gcloud).
-
-```
-gcloud beta run deploy tag-engine-ui \
- --source . \
- --platform managed \
- --region $TAG_ENGINE_REGION \
- --allow-unauthenticated \
- --ingress=internal-and-cloud-load-balancing \
- --port=8080 \
- --min-instances=0 \
- --max-instances=5 \
- --service-account=$TAG_ENGINE_SA \
- --vpc-connector=projects/$TAG_ENGINE_PROJECT/locations/$TAG_ENGINE_REGION/connectors/$VPC_CONNECTOR \
- --vpc-egress=private-ranges-only
-```
+ ```
+ gcloud beta run deploy tag-engine-api \
+ --source . \
+ --platform managed \
+ --region $TAG_ENGINE_REGION \
+ --no-allow-unauthenticated \
+ --ingress=all \
+ --memory=1024Mi \
+ --service-account=$TAG_ENGINE_SA
+ ```
+
+ To deploy the UI service without IAP:
+
+ ```
+ gcloud beta run deploy tag-engine-ui \
+ --source . \
+ --platform managed \
+ --region $TAG_ENGINE_REGION \
+ --allow-unauthenticated \
+ --ingress=all \
+ --memory=1024Mi \
+ --service-account=$TAG_ENGINE_SA
+
+ ```
+
+ To deploy the UI service behind IAP:
+
+ Note: This option requires an external load balancer and VPC access connector.
+
+ Create a VPC access connector before running the next command. This connector is used to send requests to your VPC network from Cloud Run using internal DNS and internal IP addresses as opposed to going through the public internet. To create a connector, consult [this page](https://cloud.google.com/vpc/docs/configure-serverless-vpc-access#gcloud).
+
+ ```
+ gcloud beta run deploy tag-engine-ui \
+ --source . \
+ --platform managed \
+ --region $TAG_ENGINE_REGION \
+ --allow-unauthenticated \
+ --ingress=internal-and-cloud-load-balancing \
+ --port=8080 \
+ --min-instances=0 \
+ --max-instances=5 \
+ --memory=1024Mi,
+ --service-account=$TAG_ENGINE_SA \
+ --vpc-connector=projects/$TAG_ENGINE_PROJECT/locations/$TAG_ENGINE_REGION/connectors/$VPC_CONNECTOR \
+ --vpc-egress=private-ranges-only
+ ```
@@ -265,30 +285,34 @@ gcloud beta run deploy tag-engine-ui \
If you are deploying the API, run:
-```
-export API_SERVICE_URL=`gcloud run services describe tag-engine-api --format="value(status.url)"`
-gcloud run services update tag-engine-api --set-env-vars SERVICE_URL=$API_SERVICE_URL
-```
+ ```
+ export API_SERVICE_URL=`gcloud run services describe tag-engine-api --format="value(status.url)"`
+ gcloud run services update tag-engine-api --set-env-vars SERVICE_URL=$API_SERVICE_URL
+ ```
If you are deploying the UI, run:
-```
-export UI_SERVICE_URL=`gcloud run services describe tag-engine-ui --format="value(status.url)"`
-gcloud run services update tag-engine-ui --set-env-vars SERVICE_URL=$UI_SERVICE_URL
-```
+ ```
+ export UI_SERVICE_URL=`gcloud run services describe tag-engine-ui --format="value(status.url)"`
+ gcloud run services update tag-engine-ui --set-env-vars SERVICE_URL=$UI_SERVICE_URL
+ ```
-13. Put an HTTP Load Balancer in front of the UI Cloud Run service:
+13. Put an HTTP External Load Balancer in front of the UI Cloud Run service:
- Note: This step is only required if you are deploying the UI.
+ If you are deploying the UI service in Cloud Run without a load balancer, skip this step.
+
+ The benefit of fronting the UI with a load balancer is to be able to secure access with IAP (Note: IAP is in addition to OAuth).
+
+ You cannot attach IAP directly to a Cloud Run service, you need to go through a load balancer.
- - Create an application load balancer that accepts incoming HTTPS requests
- - Attach the frontend of the load balancer to your Tag Engine domain
- - Create a [serverless network endpoint group](https://cloud.google.com/load-balancing/docs/negs/serverless-neg-concepts) (or NEG) that references the Tag Engine UI Cloud Run service (tag-engine-ui)
+ - Create an external application load balancer that accepts incoming HTTPS requests
+ - Attach the frontend of the load balancer to your custom domain for Tag Engine
+ - Create a [serverless network endpoint group](https://cloud.google.com/load-balancing/docs/negs/serverless-neg-concepts) (or NEG) that references the Tag Engine UI Cloud Run service (tag-engine-ui)
- Attach the backend of the load balancer to the NEG
- Once the load balancer is up, use its IP address to create an `A record` in Cloud DNS.
+ Once the external load balancer is up, use its IP address to create an `A record` in Cloud DNS.
Open IAP and confirm that it is connected to your load balancer's backend.
Inside IAP, grant the `IAP-secured Web App User` role to the user identities who are allowed to access the Tag Engine UI.
diff --git a/main.py b/main.py
index d735bd9..4f82e05 100644
--- a/main.py
+++ b/main.py
@@ -56,13 +56,29 @@ def check_service_url():
return -1
check_service_url()
-##################### INIT GLOBAL VARIABLES ##################################
-print('enable_auth variable:', config['DEFAULT']['ENABLE_AUTH'].lower())
+##################### CHECK CLIENT SECRET #####################
+
if config['DEFAULT']['ENABLE_AUTH'].lower() == 'true' or config['DEFAULT']['ENABLE_AUTH'] == 1:
ENABLE_AUTH = True
+ print('Info: ENABLE_AUTH = True')
else:
ENABLE_AUTH = False
+ print('Info: ENABLE_AUTH = False. This option is only supported in API mode as the client secret is needed to obtain an access token from the UI.')
+
+def check_client_secret():
+ if 'OAUTH_CLIENT_CREDENTIALS' in config['DEFAULT']:
+ OAUTH_CLIENT_CREDENTIALS = config['DEFAULT']['OAUTH_CLIENT_CREDENTIALS'].strip()
+ else:
+ if 'tag-engine-ui-' in os.environ['SERVICE_URL']:
+ print('Fatal Error: The Tag Engine UI requires the OAUTH_CLIENT_CREDENTIALS variable to be set. Please set it in tagengine.ini.')
+ return -1
+ else:
+ print('Info: running in API mode without the client secret file')
+
+check_client_secret()
+
+##################### INIT GLOBAL VARIABLES ##################################
TAG_ENGINE_PROJECT = config['DEFAULT']['TAG_ENGINE_PROJECT'].strip()
TAG_ENGINE_REGION = config['DEFAULT']['TAG_ENGINE_REGION'].strip()
@@ -80,8 +96,7 @@ def check_service_url():
tm = taskm.TaskManager(TAG_ENGINE_SA, TAG_ENGINE_PROJECT, TAG_ENGINE_REGION, WORK_QUEUE, RUN_TASK_HANDLER)
SCOPES = ['openid', 'https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/userinfo.email']
-OAUTH_CLIENT_CREDENTIALS = config['DEFAULT']['OAUTH_CLIENT_CREDENTIALS'].strip()
-
+
USER_AGENT = 'cloud-solutions/datacatalog-tag-engine-v2'
store = tesh.TagEngineStoreHandler()
@@ -3779,13 +3794,13 @@ def _run_task():
@app.route("/version", methods=['GET'])
def version():
- return "Welcome to Tag Engine version 2.1.2"
+ return "Welcome to Tag Engine version 2.1.2\n"
####################### TEST METHOD ####################################
@app.route("/ping", methods=['GET'])
def ping():
- return "Tag Engine is alive"
+ return "Tag Engine is alive\n"
#[END ping]
@app.errorhandler(500)