Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of support for Private and Restricted Google APIs #541

Closed
husseyd opened this issue Oct 24, 2023 · 4 comments
Closed

Lack of support for Private and Restricted Google APIs #541

husseyd opened this issue Oct 24, 2023 · 4 comments

Comments

@husseyd
Copy link
Contributor

husseyd commented Oct 24, 2023
edited
Loading

Hi,

I'm working at an org where all traffic to Google needs to use Private or Restricted Google APIs. This involves DNS config with CNAMEs that point services like bigquery.googleapis.com to restricted.googleapis.com. This is for VPC Service Controls, and ensures all traffic stays on off of the internet and within client networks/VPCs.

After a lot of headscratching about why this was not working with bigrquery (I received VPC SC errors, and digging into GCP logs saw that requests were coming over the internet from on-prem and thus being blocked Googleside), I dug into the source code on this repo and found the issue.

Generally client libraries and SDKs talk to GCP services at [service].googleapis.com - eg https://bigquery.googleapis.com.
At R/bq-request.R, the URLs/hosts used to reach BQ are hardcoded:

base_url <- "https://www.googleapis.com/bigquery/v2/"
upload_url <- "https://www.googleapis.com/upload/bigquery/v2/"

Due to the generic 'www.googleapis.com', the Google-provided processes for using private/restricted googleapis are blocked when using bigrquery. googleapis.com itself can't really be CNAMED to [restricted || private].googleapis.com as not all services (maps, analytics) are suitable for this.

Anyway this was a long winded way of asking - please consider one of the following options:

  1. Update base_url and upload_url globally to:
    base_url <- "https://bigquery.googleapis.com/bigquery/v2/"
    upload_url <- "https://bigquery.googleapis.com/upload/bigquery/v2/"
  1. Or - provide a mechanism (like a boolean flag) for users to use the 'bigquery.googleapis' urls above instead of the current generic 'www.googleapis.com'

Reference:
@husseyd husseyd changed the title Lack of support Private and Restricted Google APIs Lack of support for Private and Restricted Google APIs Oct 24, 2023
@craigcitro
Copy link
Collaborator

FWIW I think switching the defaults to https://bigquery.googleapis.com/... is the right move; these days all the discovery docs point to that as the base URL, and (as is the case here) there's functionality that only works against the new root URL.

@husseyd
Copy link
Contributor Author

husseyd commented Oct 24, 2023

FWIW I think switching the defaults to https://bigquery.googleapis.com/... is the right move; these days all the discovery docs point to that as the base URL, and (as is the case here) there's functionality that only works against the new root URL.

That would be awesome. If I can do anything to help that happen please let me know.

@hadley
Copy link
Member

hadley commented Oct 25, 2023

@husseyd do you want to do a PR?

@husseyd husseyd mentioned this issue Oct 25, 2023
Merged
@husseyd
Copy link
Contributor Author

husseyd commented Oct 25, 2023

Opened PR #542 to address.

hadley pushed a commit that referenced this issue Oct 25, 2023
@husseyd
Align Google APIs URLs with Discovery docs per #541 (#542)
1b72565 
Fixes #542
@husseyd husseyd mentioned this issue Oct 26, 2023
Open
@hadley hadley closed this as completed Oct 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hadley @craigcitro @husseyd