sidecar.envoy
settings, specifically within the http
filters array.
The configuration includes a name, a typed config, and providers for JWT authentication.
When configured on the GVC layer, the settings are applied to all Workloads in the GVC.
Parameter | Type | Description |
---|---|---|
name | string | Must be set to envoy.filters.http.jwt_authn . |
priority | number | Used for ordering multiple filters defined in the GVC and Workload. |
typed_config."@type" | string | Must be set to type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication . |
typed_config.providers | object | A map of JWT provider configurations. Keys starting with cpln_ are restricted and will be displayed in the UI. |
typed_config.rules | object | A set of rules to control which paths and headers require a valid JWT and from which provider. |
Parameter | Type | Description |
---|---|---|
issuer | string | The URL of the domain that issued the JWT. |
audiences | string[] | The audiences that are accepted for the JWT. |
claim_to_headers | object[] | Specifies which claims should be added to headers. |
remote_jwks | object | Configuration for remote JWKS (JSON Web Key Set). |
Parameter | Type | Description |
---|---|---|
header_name | string | The name of the header to add. |
claim_name | string | The name of the claim to extract from the JWT. |
Parameter | Type | Description |
---|---|---|
http_uri | object | The HTTP URI configuration for the JWKS public key lookup. |
cache_duration | string | Duration to cache the JWKS. Must be in the format “Ns” where N is the number of seconds. Example 300s . |
Parameter | Type | Description |
---|---|---|
uri | string | The endpoint use to lookup the JWKS public key. |
cluster | string | The cluster name used for the JWKS public key. must match the Cluster for this Provider. |
timeout | string | Timeout for the JWKS request. Must be in the format “Ns” where N is the number of seconds. Example 10s . |
Parameter | Type | Description |
---|---|---|
match | string | The issuer of the JWT. |
match.headers | string[] | An optional list of headers that must exist in the request for this match |
match.prefix | string | A required URI prefix for this match. |
requires.provider_name | string | The optional JWT Provider to use for JWT Verification of this match. All requests are allowed when not specified. |
https
the cluster configuration the cluster configuration will be similar to the following.
Replace ${providerName}
with the name of the provider.
Replace ${providerEndpoint}
with the endpoint of the provider, ex mydomain.auth.us-east-1.amazoncognito.com
.
cache_duration
and http_uri.timeout
must be equal when configured using the UI.