Menu
I'm trying to secure multiple cloud run services with gcp Api gateway, which integrates firebase jwt auth. I attempted at first securing just one API with the following schema and all went fine:
# openapi2-run.yaml
swagger: '2.0'
info:
title: memsy-gateway
description: Sample API on API Gateway with a Cloud Run backend
version: 1.0.0
schemes:
- https
consumes:
- application/json
produces:
- application/json
x-google-backend:
address: https://mnemonic-api-staging-ue.a.run.app
securityDefinitions:
jwt_auth:
authorizationUrl: ''
flow: 'implicit'
type: 'oauth2'
x-google-issuer: 'https://securetoken.google.com/the-journey-method'
x-google-jwks_uri: 'https://www.googleapis.com/service_accounts/v1/metadata/x509/[email protected]'
x-google-audiences: 'the-journey-method, https://mnemonic-api-staging-ue.a.run.app'
paths:
/mnemonic-api:
post:
security:
- jwt_auth: []
summary: Mnemonic API
operationId: mnemonics
parameters:
- in: body
name: input
description: string to process
schema:
$ref: '#/definitions/InputString'
responses:
'200':
description: A successful response
schema:
type: object
'400':
description: invalid input, object invalid
options:
operationId: create-cors
responses:
'200':
description: Success
definitions:
InputString:
type: object
properties:
input:
type: string
title:
type: string
required:
- input
- title
I then tried to secure two services using the following schema but am now getting 404 errors on the paths in the config. I can also access the backends via their cloud run urls without any jwt token, so I'm wondering what's wrong in my config?
# openapi2-run.yaml
swagger: '2.0'
info:
title: memsy-gateway
description: Sample API on API Gateway with a Cloud Run backend
version: 1.0.0
schemes:
- https
consumes:
- application/json
produces:
- application/json
securityDefinitions:
jwt_auth:
authorizationUrl: ''
flow: 'implicit'
type: 'oauth2'
x-google-issuer: 'https://securetoken.google.com/the-journey-method'
x-google-jwks_uri: 'https://www.googleapis.com/service_accounts/v1/metadata/x509/[email protected]'
x-google-audiences: 'the-journey-method, https://mnemonic-api-staging-ue.a.run.app, https://backend-dql-flask-uc.a.run.app'
paths:
/mnemonic-api:
post:
security:
- jwt_auth: []
summary: Mnemonic API
operationId: mnemonics
x-google-backend:
address: https://mnemonic-api-staging-ue.a.run.app
parameters:
- in: body
name: input
description: string to process
schema:
$ref: '#/definitions/InputString'
responses:
'200':
description: A successful response
schema:
type: object
'400':
description: invalid input, object invalid
options:
operationId: create-cors
responses:
'200':
description: Success
/dql/deleteFolder:
post:
security:
- jwt_auth: []
summary: Dql
operationId: deleteFolder
x-google-backend:
address: https://backend-dql-flask-uc.a.run.app
parameters:
- in: body
name: input
description: user and id strings
schema:
$ref: '#/definitions/Dql'
responses:
'200':
description: A successful response
schema:
type: object
'400':
description: invalid input, object invalid
options:
operationId: create-cors-dql
responses:
'200':
description: Success
definitions:
InputString:
type: object
properties:
input:
type: string
title:
type: string
required:
- input
- title
Dql:
type: object
properties:
user:
type: string
id:
type: string
required:
- user
- id
788
asked Dec 18 '25 15:12
The documentation is not clear honestly - with trial and error I could make it work by matching the path on the openapi definition with the path in my webserver router instead of giving the openapi definition the host only, for example:
paths:
/mnemonic-api:
post:
security:
- jwt_auth: []
summary: Mnemonic API
operationId: mnemonics
x-google-backend:
address: https://mnemonic-api-staging-ue.a.run.app/mnemonic-api
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
