Lately I’ve had the opportunity to learn how to host a Flask application on Google Cloud Platform (GCP) using Cloud Run and Cloud Endpoints. Though official documentation is provided, it took me some time to understand and implement the various components correctly. In this article, I am going to show you how to deploy a Flask app on Cloud Run with authentication. I hope the article can help someone, who is interested in deploying a web application on GCP with authentication process.
最近,我有机会学习如何使用Cloud Run和Cloud Endpoints在Google Cloud Platform(GCP)上托管Flask应用程序。 尽管提供了官方文档,但我还是花了一些时间来正确理解和实现各种组件。 在本文中,我将向您展示如何在具有身份验证的Cloud Run上部署Flask应用 。 希望本文能对有兴趣在GCP上通过身份验证过程部署Web应用程序的人有所帮助。
We are interested in deploying a web application:
我们对使用一些简单方法的Flask应用程序感兴趣。 下面的代码定义了三个端点:
We are now interested in building a Docker image for the Flask application, since applications on Cloud Run are deployed from Docker images. For this step, the official documentation by GCP can be found from here. From now, we are going to use some linux commands on my terminal.
我们现在对为Flask应用程序构建Docker映像感兴趣,因为Cloud Run上的应用程序是从Docker映像部署的。 对于此步骤,可以从此处找到GCP的官方文档。 从现在开始,我们将在终端上使用一些linux命令。
First of all, we install Cloud SDK, which enables to connect to the GCP via a terminal on your local machine. After the install, we shall make sure the relevant account and project name are set as default.
首先,我们安装Cloud SDK,该软件可以通过本地计算机上的终端连接到GCP。 安装后,我们应确保将相关帐户和项目名称设置为默认名称。
Now, we are going to build a Docker image of the Flask application. In this example, we need and files, which are saved in the same folder to :
现在,我们将构建Flask应用程序的Docker映像。 在此示例中,我们需要和文件,它们保存在同一文件夹中的 :
We are going to use an instantiated Flask application, which is defined in . Therefore, the entrypoint for should be defined as . The now reads:
我们将使用实例化的Flask应用程序,该应用程序在定义。 因此, 的入口应定义为 。 现在读取:
We shall build the Docker image and push it to Container Registry on GCP. The service name is defined as .
我们将构建Docker映像并将其推送到GCP上的Container Registry。 服务名称定义为 。
If successful, we are able to see the docker image on Container Registry.
通过Container Registry,我们能够通过命令在Cloud Run上部署 Docker映像。 我们将实例命名为 。
once the instance is created, we are able to see the logs on the terminal:
创建实例 ,我们可以在终端上查看日志:
We are now able to check the Cloud Run instance from the console.
现在,我们可以从控制台检查Cloud Run实例。
This instance can be accessed by anyone since we allowed “unauthenticated access” when we deployed it. We will add authentication later.
让我们为Cloud Run实例创建一些HTTPS请求。 由于我们有三种Flask方法,因此我们将向发送三个请求。
The response can be found from the log on instance on Cloud Run.
优秀的! 我们已经在Cloud Run上部署了Flask应用程序。
So far, we are able to deploy a Flask application on Cloud Run. However, the problem is that everyone can send requests to the Cloud Run instance. If we leave the Cloud Run instance running on , everyone on the planet can access it.
到目前为止,我们已经能够在Cloud Run上部署Flask应用程序。 但是,问题在于每个人都可以将请求发送到Cloud Run实例 。 如果我们让Cloud Run实例在上运行,则地球上的每个人都可以访问它。
We shall add authentication to the Flask application on Cloud Run. There are numerous ways to do this, but we shall add a Cloud Endpoint, which protects the Cloud Run instance. The official documentation by GCP can be found here.
我们将在Cloud Run上向Flask应用程序添加身份验证。 有很多方法可以做到这一点,但是我们将添加一个Cloud Endpoint ,它可以保护Cloud Run实例。 GCP的官方文档可在此处找到。
The ideas we are going to implement are below:
Cloud Endpoint配置由文件设置。
We are interested in introducing an authentication process to the Flask application on Cloud Run. For GCP applications, we are able to create some authentication token, which shows that the person who has the token is the right person to access to the instance. In this example, we shall consider using a JSON Web Token (JWT). In this post, we skip the details of JWT.
我们有兴趣向Cloud Run上的Flask应用程序引入身份验证过程。 对于GCP应用程序,我们能够创建一些身份验证令牌,这表明拥有令牌的人是访问实例的合适人选。 在此示例中,我们将考虑使用JSON Web令牌(JWT)。 在本文中,我们跳过了JWT的详细信息。
There are multiple ways to create a JWT (e.g. using Firebase account), but we are going to have a look at a method based on using a Service account. The official document by GCP can be found from here.
创建JWT的方法有多种(例如,使用Firebase帐户),但是我们将基于使用服务帐户的方法进行研究。 GCP的官方文件可以在这里找到。
On the GCP console, we can go to . And then, we are able to create a Service account, and create a credential key of the corresponding Service account as a file.
在GCP控制台上,我们可以转到 。 然后,我们可以创建一个服务帐户,并将相应服务帐户的凭据密钥创建为文件。
Here is a sample code to create a JWT based on a Service account.
这是一个示例代码,用于基于Service帐户创建JWT。
For this script, we can give relevant values to create a JWT with Service account credential file. Note, both and are used later to configure the Cloud Endpoint with file.
对于此脚本,我们可以提供相关值以创建带有Service帐户凭据文件的JWT。 注意, 将使用和来通过文件配置Cloud Endpoint。
We are able to see which information is saved in the on some website, e.g. https://jwt.io/. The will be sent as a part of request header to the Flask application on Cloud Run.
我们可以看到在某些网站的保存了哪些信息,例如https://jwt.io/ 。 将作为请求标头的一部分发送到Cloud Run上的Flask应用程序。
We shall setup Cloud Run instance again, but we are not allowed to make any HTTPS requests to the Cloud Run instance directly this time. Let’s create a new instance called . The same Docker image on Container Registry is used.
我们将再次设置Cloud Run实例,但是这次我们不允许直接向Cloud Run实例发出任何HTTPS请求 。 让我们创建一个名为的新实例。 使用Container Registry上的相同Docker映像。
On the console, we can see a new instance on Cloud Run; nevertheless, the new instance does not allow unauthenticated access.
现在,该创建一个Cloud Endpoint了。 GCP的官方文档可在此处找到。 首先,我们将可扩展服务代理V2 Beta(ESPv2 Beta)部署为API网关(默认情况下在Container Registry上提供)。 Cloud Endpoint作为名为的实例部署在Cloud Run上。
once the gateway instance (i.e. Cloud Endpoint) is created on Cloud Run, we need to find two parameters from the instances.
在Cloud Run上创建网关实例(即Cloud Endpoint)后,我们需要从实例中找到两个参数。
URL of
网址
URL of
URL
once these two parameters are found, we can make a file, which configures the connection between a) the instance of the Flask application on Cloud Run and b) the cloud endpoint on Cloud Run. In this file, we also configure the service account, Flask method, etc.
找到这两个参数后,我们可以制作一个文件,该文件配置a)Cloud Run上的Flask应用程序实例与b)Cloud Run上的云端点之间的连接。 在此文件中,我们还配置了服务帐户,Flask方法等。
once the file is created, deploy the file using command.
创建文件后,请使用命令部署该文件。
If the configuration is deployed, we will get , from logs on the terminal.
如果部署了配置,我们将从终端上的日志中获取 。
After the configuration is updated, we shall build a new ESPv2 image, using script. The code can be downloaded from here.
更新配置后,我们将使用脚本构建一个新的ESPv2映像。 可以从这里下载代码。
After a new ESPv2 Docker image is created, we re-deploy the image on Cloud Run as Cloud Endpoint.
创建新的ESPv2 Docker映像后,我们在Cloud Run作为Cloud Endpoint上重新部署该映像。
That is all for configuring Cloud Endpoint. Now, we can check the instance on Cloud Run, which protects instance.
我们将向Cloud Endpoint发出HTTPS请求。 示例代码如下。 对于每种方法(总共三种方法),我们发送两个请求
- Without header 没有标题
With header
使用标头
The is created by a service account; the same service account is hardcoded in the file for Cloud Endpoint configuration.
由服务帐户创建; 文件中将相同的服务帐户硬编码为Cloud Endpoint配置。
As we expect, the first three requests are blocked by the Cloud Endpoint as
正如我们期望的那样,前三个请求被Cloud Endpoint阻止,因为
The last three requests are successfully made to Flask application.
最后三个请求已成功向Flask应用程序发出。
The logs on Cloud Endpoint is below. The first three requests have , whereas the last three requests are .