gRPC services

gRPC service configuration. This is used by ApiConfigSource and filter configurations.

envoy_grpc

() Envoy’s in-built gRPC client. See the gRPC services overview documentation for discussion on gRPC client selection.

Precisely one of , google_grpc must be set.

google_grpc

() Google C++ gRPC client See the documentation for discussion on gRPC client selection.

Precisely one of envoy_grpc, must be set.

timeout

(Duration) The timeout for the gRPC request. This is the timeout for a specific request.

initial_metadata

() Additional metadata to include in streams initiated to the GrpcService. This can be used for scenarios in which additional ad hoc authorization headers (e.g. ) are to be injected.

config.core.v3.GrpcService.EnvoyGrpc

{
  "cluster_name": "...",
  "authority": "..."
}

cluster_name

(string, REQUIRED) The name of the upstream gRPC cluster. SSL credentials will be supplied in the transport_socket.

authority

() The :authority header in the grpc request. If this field is not set, the authority header value will be cluster_name. Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster.

config.core.v3.GrpcService.GoogleGrpc

{
  "target_uri": "...",
  "channel_credentials": "{...}",
  "call_credentials": [],
  "stat_prefix": "...",
  "config": "{...}",
  "per_stream_buffer_limit_bytes": "{...}",
  "channel_args": "{...}"
}

target_uri

(string, REQUIRED) The target URI when using the . SSL credentials will be supplied in channel_credentials.

channel_credentials

()

call_credentials

(config.core.v3.GrpcService.GoogleGrpc.CallCredentials) A set of call credentials that can be composed with .

stat_prefix

(string, REQUIRED) The human readable prefix to use when emitting statistics for the gRPC service.

credentials_factory_name

() The name of the Google gRPC credentials factory to use. This must have been registered with Envoy. If this is empty, a default credentials factory will be used that sets up channel credentials based on other configuration parameters.

config

(Struct) Additional configuration for site-specific customizations of the Google gRPC library.

per_stream_buffer_limit_bytes

() How many bytes each stream can buffer internally. If not set an implementation defined default is applied (1MiB).

channel_args

(config.core.v3.GrpcService.GoogleGrpc.ChannelArgs) Custom channels args.

config.core.v3.GrpcService.GoogleGrpc.SslCredentials

[config.core.v3.GrpcService.GoogleGrpc.SslCredentials proto]

{
  "root_certs": "{...}",
  "private_key": "{...}",
}

root_certs

() PEM encoded server root certificates.

private_key

(config.core.v3.DataSource) PEM encoded client private key.

cert_chain

() PEM encoded client certificate chain.

[config.core.v3.GrpcService.GoogleGrpc.GoogleLocalCredentials proto]

Local channel credentials. Only UDS is supported for now. See .

config.core.v3.GrpcService.GoogleGrpc.ChannelCredentials

See https://grpc.io/docs/guides/auth.html#credential-types to understand Channel and Call credential types.

{
  "ssl_credentials": "{...}",
  "google_default": "{...}",
  "local_credentials": "{...}"
}

ssl_credentials

()

Precisely one of ssl_credentials, , local_credentials must be set.

google_default

() https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61

Precisely one of , google_default, must be set.

local_credentials

(config.core.v3.GrpcService.GoogleGrpc.GoogleLocalCredentials)

Precisely one of , google_default, must be set.

config.core.v3.GrpcService.GoogleGrpc.CallCredentials

{
  "access_token": "...",
  "google_compute_engine": "{...}",
  "google_refresh_token": "...",
  "service_account_jwt_access": "{...}",
  "google_iam": "{...}",
  "from_plugin": "{...}",
  "sts_service": "{...}"

access_token

(string) Access token credentials. .

Precisely one of access_token, , google_refresh_token, , google_iam, , sts_service must be set.

google_compute_engine

() Google Compute Engine credentials. https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61

Precisely one of , google_compute_engine, , service_account_jwt_access, , from_plugin, must be set.

google_refresh_token

(string) Google refresh token credentials. .

Precisely one of access_token, , google_refresh_token, , google_iam, , sts_service must be set.

service_account_jwt_access

() Service Account JWT Access credentials. https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa.

Precisely one of , google_compute_engine, , service_account_jwt_access, , from_plugin, must be set.

google_iam

(config.core.v3.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials) Google IAM credentials. .

Precisely one of access_token, , google_refresh_token, , google_iam, , sts_service must be set.

from_plugin

() Custom authenticator credentials. https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07. .

Precisely one of access_token, , google_refresh_token, , google_iam, , sts_service must be set.

sts_service

() Custom security token service which implements OAuth 2.0 token exchange. https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 See .

Precisely one of access_token, , google_refresh_token, , google_iam, , sts_service must be set.

config.core.v3.GrpcService.GoogleGrpc.CallCredentials.ServiceAccountJWTAccessCredentials

[config.core.v3.GrpcService.GoogleGrpc.CallCredentials.ServiceAccountJWTAccessCredentials proto]

{
  "json_key": "...",
}

json_key

token_lifetime_seconds

()

[config.core.v3.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials proto]

authorization_token

()

authority_selector

(string)

config.core.v3.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin

[config.core.v3.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin proto]

{
  "name": "...",
  "typed_config": "{...}"
}

name

()

typed_config

(Any)

config.core.v3.GrpcService.GoogleGrpc.CallCredentials.StsService

[config.core.v3.GrpcService.GoogleGrpc.CallCredentials.StsService proto]

Security token service configuration that allows Google gRPC to fetch security token from an OAuth 2.0 authorization server. See and https://github.com/grpc/grpc/pull/19587.

{
  "token_exchange_service_uri": "...",
  "resource": "...",
  "audience": "...",
  "scope": "...",
  "requested_token_type": "...",
  "subject_token_path": "...",
  "subject_token_type": "...",
  "actor_token_path": "...",
  "actor_token_type": "..."
}

token_exchange_service_uri

() URI of the token exchange service that handles token exchange requests.

resource

(string) Location of the target service or resource where the client intends to use the requested security token.

audience

() Logical name of the target service where the client intends to use the requested security token.

scope

(string) The desired scope of the requested security token in the context of the service or resource where the token will be used.

requested_token_type

() Type of the requested security token.

subject_token_path

(string, REQUIRED) The path of subject token, a security token that represents the identity of the party on behalf of whom the request is being made.

subject_token_type

(, REQUIRED) Type of the subject token.

actor_token_path

(string) The path of actor token, a security token that represents the identity of the acting party. The acting party is authorized to use the requested security token and act on behalf of the subject.

actor_token_type

() Type of the actor token.

config.core.v3.GrpcService.GoogleGrpc.ChannelArgs

Channel arguments.

{
}

args

(map<string, >) See grpc_types.h GRPC_ARG #defines for keys that work here.

[config.core.v3.GrpcService.GoogleGrpc.ChannelArgs.Value proto]

string_value

() Pointer values are not supported, since they don’t make any sense when delivered via the API.

Precisely one of string_value, must be set.

int_value

(int64) Pointer values are not supported, since they don’t make any sense when delivered via the API.

Precisely one of , int_value must be set.