Menu
https://cloud.google.com/solutions/authentication-in-http-cloud-functions
The document suggest set up a Google Cloud Storage bucket. And then set up the service accounts' permission, "storage.buckets.get", to the bucket.
Then use this permission to authenticate access to the http Google Cloud Functions.
We are talking about authenticating the http cloud functions, but we are borrowing the permission from a Google Cloud Storage. It seems to me this is a hack solution.
If we can just set up permissions right at each Cloud Function through the Google Cloud Console, that will be great.
Are you guys using the authentication solution suggested by Google in the above document? Or you have better approaches?
To set up the ""storage.buckets.get", does it mean I grant the service account "Storage Object Viewer" permission?
736
API authenticationIn the OAuth 2.0 Playground, click Cloud Storage API v1, and then select an access level for your application ( full_control , read_only , or read_write ). Click Authorize APIs. Sign in to your Google account when prompted. In the dialogue that appears, click Allow.
Securing access with identity. One way to control access to a function is to require that the requesting entity identify itself by using a credential. A credential is a "name" of some sort, secured by a secret that the entity knows or has access to, like a password or a hardware dongle.
The solution proposed in the link you brought here is indeed one of the ways. In fact, you can use any other Google Cloud Platform product (not only Storage buckets) to check the chosen account's permissions to it.
An alternative that can work is:
'Authorization' header of the incoming HTTP request that contains the token generated for the account that made the request.url = "https://www.googleapis.com/oauth2/v1/tokeninfo?fields=email&access_token
=" + token_from_the_request_header;
For using Cloud Functions you need to put your modules in buckets. Granting the account ‘storage.buckets.get’ permission to the bucket, you grant authorization to the service account to trigger your HTTP Cloud Function; and similarly, you revoke authorization by removing ‘storage.buckets.get’ permission from another service account.
To set up the ‘storage.buckets.get’ permission you need to either select “Storage Admin” through the standard roles or ‘storage.legacyBucketReader'/’storage.legacyBucketWriter’ from legacy roles or even define a custom role with ‘storage.buckets.get’ permission.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
