GCP Uptime Checks is one way to probe your endpoints on an interval from global locations, to check that a URL is up and responding correctly.
With public checks, the URL has to be available on the internet, but what if you want some sort of authentication? GCP Uptime Checks supports HTTP Basic Authentication, custom HTTP Headers, and Service Agent Authentication. This last option is particularly interesting because it presents a way to not have any secrets configured.
What happens when you configure this?
GCP will give you a service account identity (email)
that will make the request,
e.x.: service-330311169810@gcp-sa-monitoring-notification.iam.gserviceaccount.com.
The request you get looks something like the following:
1GET /gcp-uptime HTTP/1.1
2Host: reqlog.liao.dev
3Accept: */*
4Accept-Encoding: deflate, gzip
5Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImYyZTExOTg2MjgyZGU5M2YyN2IyNjRmZDJhNGRlMTkyOTkzZGNiOGMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL3JlcWxvZy5saWFvLmRldiIsImF6cCI6IjEwNjc2Mjk1MDk4NzAwODAwODIzMyIsImVtYWlsIjoic2VydmljZS0zMzAzMTExNjk4MTBAZ2NwLXNhLW1vbml0b3Jpbmctbm90aWZpY2F0aW9uLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV4cCI6MTcyMTQ4OTYxOSwiaWF0IjoxNzIxNDg2MDE5LCJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJzdWIiOiIxMDY3NjI5NTA5ODcwMDgwMDgyMzMifQ.rfRUN4IYCL130wppUp7wLWAMteA_GfGJopGfP75mSUlXlChOCTxSpeWbUUYS43_J4Q46dpDvnTBwSdOGNpA8ctxrGPIuoZ7dj7lzArEX2e5EyDWhGSNzvQgZj2VLOGA05RuJvC2OrqsUD-GpGFJBMsHqECW7Uqn2ny3819Wl88_YZdhYRTcM75QKs_FizFKC_QRCTi4cix_W-as9pcyUih4JzAUTjRR-tZuFCkBIaCWOXahejQLZ-KL8eNAfB0-wIbe20d7i5n5BiUWkR6ZjXOe6sLdy9IU_sk_ZOKaRKKv9cx77VvYAhKQTgk1IK6g8UO-QglBPS8j5rmxWBRnqXw
6Check-Id: validate-check-id
7Traceparent: 00-3190f4f73704efb77d7053927ff9cc44-be6c80f74ecaa37f-01
8Tracestate:
9User-Agent: GoogleStackdriverMonitoring-UptimeChecks(https://cloud.google.com/monitoring)
10X-Envoy-External-Address: 35.233.167.246
11X-Forwarded-For: 35.233.167.246
12X-Forwarded-Proto: https
13X-Request-Id: c53bb128-efc6-9433-b931-937c646e42f3
The bearer token is a jwt that can be decoded and validated:
1{
2 "alg": "RS256",
3 "kid": "f2e11986282de93f27b264fd2a4de192993dcb8c",
4 "typ": "JWT"
5}
6{
7 "aud": "https://reqlog.liao.dev",
8 "azp": "106762950987008008233",
9 "email": "service-330311169810@gcp-sa-monitoring-notification.iam.gserviceaccount.com",
10 "email_verified": true,
11 "exp": 1721489619,
12 "iat": 1721486019,
13 "iss": "https://accounts.google.com",
14 "sub": "106762950987008008233"
15}
As an example,
with Envoy Gateway,
the SecurityPolicy would look like:
1apiVersion: gateway.envoyproxy.io/v1alpha1
2kind: SecurityPolicy
3metadata:
4 name: jwt
5 namespace: reqlog
6spec:
7 targetRef:
8 group: gateway.networking.k8s.io
9 kind: HTTPRoute
10 name: reqlog
11 jwt:
12 providers:
13 - name: google
14 issuer: "https://accounts.google.com"
15 audiences:
16 - "https://reqlog.liao.dev"
17 remoteJWKS:
18 uri: "https://www.googleapis.com/oauth2/v3/certs"