How do you do GRPC authentication in an istio mTLS setup?

kameshraj · June 28, 2021, 5:00pm

I have bunch of GRPC microservices and they are using self signed certs. I add authentication info to the GRPC channel which is then used to identify endpoints and provide right services.

Now I want migrate to Istio mTLS.

In phase one, I got Istio to BYPASS all GRPC connections and my services works as it is now.

In Phase two, I want to hand off TLS to Istio, but I am stuck on how to pass the authentication information to GRPC?

How do you handle auth in Istio mTLS setup?

GRPC can support other authentication mechanisms Has anyone used this to inject Istio auth info to GRPC? any other suggestions on how you implemented this in your setup

YangminZhu · July 2, 2021, 10:17pm

It does not seem right to inject the Istio certificate to your gRPC application code. The more common way is to just enable the STRICT mTLS in Istio and then you do not need any TLS setting in your gRPC code. All requests to your service will be protected by the Istio mTLS automatically, you do not need TLS-in-mTLS unless you have any special reasons.

tomhawk · September 29, 2022, 11:33am

@YangminZhu how can you know which TLS version mTLS uses for gRPC comms ?
I also want to test which ciphers are supported.
I can’t find it in the istio logs.
I only saw a doc about Istio / Security
but I need proof from actual logs

tomhawk · October 2, 2022, 5:44am

found a proof via the envoy config of my app. simply dump the sidecar config.
it will include the minimum TLS version of mTLS. mTLS ciphers and the self signed cert being used.
one way to extract that info from any app POD:

kubectl exec --stdin --tty myapp-5b86c5c69f-8q5r8 -n my-namespace --container istio-proxy -- curl 'localhost:15000/config_dump'

 "name": "envoy.transport_sockets.tls",
          "typed_config": {
           "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
           "common_tls_context": {
            "tls_params": {
             "tls_minimum_protocol_version": "TLSv1_2",
             "tls_maximum_protocol_version": "TLSv1_3",
             "cipher_suites": [
              "ECDHE-ECDSA-AES256-GCM-SHA384",
              "ECDHE-RSA-AES256-GCM-SHA384",
              "ECDHE-ECDSA-AES128-GCM-SHA256",
              "ECDHE-RSA-AES128-GCM-SHA256",
              "AES256-GCM-SHA384",
              "AES128-GCM-SHA256"
             ]
            },
...more stuff here...
 "trusted_ca": {
        "inline_bytes":

(I think it is also possible to print via istioctl pc... CLI)

kameshraj · October 2, 2022, 3:12pm

Ended up using Istio / gRPC Proxyless Service Mesh

Topic		Replies	Views
GRPC with self-signed certificate	3	2170	December 10, 2020
Create self-signed classic TLS cert with istio mTLS enabled Networking	2	1315	July 27, 2020
Istio mTLS strict mode with custom TLS Networking security	3	361	October 4, 2023
When mTLS is enabled, does TLS need to be setup within the App itself Security security	1	792	August 3, 2022
Help to understand Istio mTLS	1	528	May 26, 2020

How do you do GRPC authentication in an istio mTLS setup?

Related Topics