Cloud-Security | GCP and GSUITE security auditing scripts | GCP library

I have created my organisation infrastructure in GCP following the Cloud Foundation Toolkit using the Terraform modules provided by Google.

The following table list the IP ranges for all environments:

Now I am in the process of deploying my application that consists of basically Cloud Run services and a Cloud SQL (Postgres) instance. The Cloud SQL instance was created with a private IP from the "unallocated" IP range that is reserved for peered services (such as Cloud SQL).

In order to establish connectivity between Cloud Run and Cloud SQL, I have also created the Serverless VPC Connector (ip range 10.1.0.16/28) and configured the Cloud SQL proxy.

When I try to connect to the database from the Cloud Run service I get this error after ~10s:

CloudSQL connection failed. Please see https://cloud.google.com/sql/docs/mysql/connect-run for additional details: Post "https://www.googleapis.com/sql/v1beta4/projects/[my-project]/instances/platform-db/createEphemeral?alt=json&prettyPrint=false": context deadline exceeded

I have granted roles/vpcaccess.user for both the default Cloud Run SA and the one used by the application in the host project.

I have granted roles/compute.networkUser for both SAs in the service project. I also granted roles/cloudsql.client for both SAs.

I have enabled servicenetworking.googleapis.com and vpcaccess.googleapis.com in the service project.

I have run out of ideas and I can't figure out what the issue is.

It seems like a timeout error when Cloud Run tries to create a POST request to the Cloud SQL API. So it seems like the VPC connector (10.1.0.16/28) cannot connect to the Cloud SQL instance (10.0.80.0/20).

Has anyone experienced this issue before?

I was following this guide which mentions that the @EnableAuthorizationServer is deprecated. But when I created a project with the following dependencies, I am not getting the deprecated messages. Is there something I am missing here.

Depedencies - Output from mvn dependency:tree

We're trying to use SAP SpringBoot Starter XSUAA 2.7.8 (https://github.com/SAP/cloud-security-xsuaa-integration) together with the SAP CloudSDK for Java 3.32.0.

The CloudSDK depends on part of the xsuaa (java-api, java-security, tokenclient, java-security-test) version 2.7.8, but does not use spring-xsuaa. The CloudSDK also depends on Spring Security 5.4.1. When we add xsuaa-spring-boot-starter, our security integration tests break, and at runtime we run into token validation errors at the "rest api" side (rest controllers) of our app. It seems to be due to the fact that xsuaa-spring-boot-starter depends on Spring Security 5.3.4.RELEASE.

We get errors saying: java.lang.NoSuchMethodError: 'java.util.Map com.nimbusds.jose.Header.toJSONObject(). This is a know issue with spring security 5.4.1 (https://github.com/spring-projects/spring-security/issues/9120). As the issue states spring security is meant to be used with springboot 2.4 and not 2.3 which is used by the cloud sdk.

We've not been able to resolve this issue. Can this be the cause of different dependencies? If so, any ideas on how to resolve these?

Thanks,

Danny

i'm trying to get the war file from Jhipster project project using this command

Currently in developer training, I am working on a personal project on spring. I started java 6 months ago, so there is a certain notion that I do not yet master. My trainer does not know spring at all, so he cannot help me. I am also French and there is very little reliable documentation on spring (it is evolving quickly). For example, I followed a French tutorial on microservices, and I used the ribbon and zuul proxy while they are currently in maintenance at spring. I started all over (new project) to recode in reactive webflux

I have several concerning spring starter security or spring cloud security

• Spring cloud config (in connection with gitlab)
• eureka server
• admin server
• gateway
• 2 business microservices
• 2 sub-module (model and repository)

I want all my microservices and the internal microservices (eureka, admin server, configserver) to be secure now. But I do not know how.

I want the microservice that consults config-server to identify themselves, and I also want the microservice gateway to identify itself to make requests to other microservices. Finally I want all my microservices to be protected.

Should we put spring-starter-security in microservice? Should we create a new microservice with spring-cloug-security? Should we create a new spring-cloud-security microservice and add spring-start-security everywhere?

https://cloud.spring.io/spring-cloud-security/2.2.x/reference/html/ Obviously I find this link not very explanatory

Thank you

In Spring Boot with MVC it was possible to get information about Keycloak user realm and defined attributes through injected Principal in controller method, which was of type KeycloakAuthenticationToken, which provides this information.

But in Spring Cloud Gateway with dependencies

I'm trying to deploy my CloudFormation template to other regions for testing. My template works fine with us-east-1 via Boto3 but if it try another region I get no error output.

Whilst trying different regions I got an email unexpectedly saying that the Canada region has been verified but since trying via Boto3 this has been unsuccessful. (billing console says all regions are now activated)

I'm running Boto3 from Lambda (No VPC) that has been deployed using Zappa to us-east-1. It has an IAM policy that does not specify a specific region.

Python:

veerI visited the project app-identity-and-access-adapter and I want to check it inside a Kubernetes Microservices project.

The installation app-identity-and-access-adapter to a IBM Cloud Kubernetes Cluster did not work.

a) Adding repository works:

In the logs, Zipkin status is coming as true but I can not see it in the Zipkin UI.