Cloud run cors policy

Shaiknagulmeera · 01-19-2023 08:24 AM

We have an application uI is hosted in storage bucket (react) backed is hosted in cloud run and secured by api gateway

Now we are trying to make cloud run urls which were public before now to internal but when we do that getting issue with cors policy ( though we have added allow cors origin true in Api config file)

christianpaula

Hi @Shaiknagulmeera,

To allow Cross-Origin Resource Sharing (CORS) for a Cloud Run service, you need to configure CORS on both the Cloud Run service and the API Gateway.

In the API Gateway, you can use the Access-Control-Allow-Origin header to specify the allowed origins. This can be done in the API Gateway configuration file.

It's worth noting that if you're using a wildcard origin (`*`) in the Access-Control-Allow-Origin header, you will also need to set the Access-Control-Allow-Credentials header to true to allow cookies to be sent.

It's possible that the issue you're experiencing is caused by a mismatch between the allowed origins specified in the Cloud Run service and the API Gateway, or by not setting the Access-Control-Allow-Credentials header to true if you're using a wildcard origin in the Access-Control-Allow-Origin header.

Reference:

anaelle

HI @christianpaula, thanks for your reply!

I'm running into a similar issue. I've tried following your solutions, running:

gcloud run deploy {service-name} --image gcr.io/{projectid}/{imagename} --cors-allowed-origins

But I get an error:

ERROR: (gcloud.run.deploy) unrecognized arguments: --cors-allowed-origins

The links you've shared on Cloud Run and CORS are showing up as 404 to me.

What am I doing wrong?

Shaiknagulmeera

Hi anaelle,

Make sure your cloud run service is public, currently the cors is not supported for internal.

And to make it secure you should only allow only authenticated invokes

anaelle

Thanks! It's indeed public and only allowing authenticated calls.

Could you point me to documentation on how to enable cors? I'm contemplating migrating to Heroku because I have not been able to figure out the proper GCP set up after quite some time looking into this.

ejhumphrey

big plus one to this thread! I am having the same issue, and can't find any documentation (or many help requests) mentioning CORS and Cloud Run.

some details on my side:

I'm using FastAPI in a docker container (python-3.10 base), built via cloudbuild and deployed on cloud run
I've enabled CORS middleware in the FastAPI app, per the documentation. Running the app locally, CORS works as expected.
When deployed on Cloud Run, CORS doesn't work. Bummer.

So.. I'm pretty convinced something in the cloud run layer isn't configured right and causing problems.

It looks like `gcloud run deploy` maybe used to have those flags, but has since been (re)moved elsewhere in the stack? I can't find anything relevant/promising on the latest gcloud CLI options. There's some documentation still out there for GKE and CORS, so I'm wondering if the answer is passing some kind of config data through to k8s to allow cross origin requests? Maybe? I've no idea, I'm grasping at straws here, and am at a loss for what to do here.

vasilyvp

Links to the cors docs are expired

Sanjay_io

can I add any config into the cloud run directly ?

ejhumphrey

okay, so. I've discovered that if you want to enable CORS for a cloud run deployment, you can configure a Google Cloud Endpoints deployment on top of it, and use that as the public facing gateway. I *believe* this is the intended/happy path in the current GCP world, though some (more clear?) pointers from Cloud Run would have been nice..

This guide worked for me: https://cloud.google.com/endpoints/docs/openapi/set-up-cloud-run-espv2

sebar

I have exactly the same problem and let me summarize:

1) There is no such thing as `--cors-allowed-origins` flag for Cloud Run. I can't find this in the documentation.

2) It is not possible to deal with CORS issue using express midware, e.g.:


let corsOptions = {
origin: 'https://<your front-end-domain>',
};
app.use(cors(corsOptions));

I tried without success, the container traffic will fail

3) Please, don't use only Cloud Run as a backend. There will always be a CORS issue. Using Cloud Run alone, only the front-end can be deployed.

4) If you want to use Cloud Run for the backend, it is recommended to use Google Cloud Endpoints (additional cost) - what I will check and let you know 🙂

varodrim

Hi Sebar,

If not Cloud Run, what do you recommend to use to display the backend docker image?

sebar

Postscript / Update: For all those who have a problem with CORS, e.g. between frontend container and backend container, I highly recommend Martin Omander's video - "Run your Angular app on Google Cloud" - https://youtu.be/CDDf6-W8lEo?si=69YAwJacTAVicUik , I checked his example, it works great. My project also has no more problems with CORS, because the entire frontend and backend are in the same container and I don't have to use ESPv2.

varodrim

I have the same issue. Is there no more straightforward than using ESPv2? It looks like overcomplicating everything.

sebar

Varodrim, just deploy frontend and backend in the same google cloud project, deploy them even together (but you do not have to), so there will not be CORS issue, since the domain will be the same. Above, there is a link of simple example how to do that. It works, I developed a comercial app in this way, which is very secure.