Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Authentication in HTTP Google Cloud Functions

Tags:

google-cloud-platform

google-cloud-functions

https://cloud.google.com/solutions/authentication-in-http-cloud-functions

The document suggest set up a Google Cloud Storage bucket. And then set up the service accounts' permission, "storage.buckets.get", to the bucket.

Then use this permission to authenticate access to the http Google Cloud Functions.

We are talking about authenticating the http cloud functions, but we are borrowing the permission from a Google Cloud Storage. It seems to me this is a hack solution.

If we can just set up permissions right at each Cloud Function through the Google Cloud Console, that will be great.

Are you guys using the authentication solution suggested by Google in the above document? Or you have better approaches?

To set up the ""storage.buckets.get", does it mean I grant the service account "Storage Object Viewer" permission?

enter image description here

like image 736
searain Avatar asked Jan 30 '18 22:01

searain

People also ask

How do I authenticate Google Cloud Storage?

API authenticationIn the OAuth 2.0 Playground, click Cloud Storage API v1, and then select an access level for your application ( full_control , read_only , or read_write ). Click Authorize APIs. Sign in to your Google account when prompted. In the dialogue that appears, click Allow.

How to secure a cloud function?

Securing access with identity. One way to control access to a function is to require that the requesting entity identify itself by using a credential. A credential is a "name" of some sort, secured by a secret that the entity knows or has access to, like a password or a hardware dongle.

2 Answers

The solution proposed in the link you brought here is indeed one of the ways. In fact, you can use any other Google Cloud Platform product (not only Storage buckets) to check the chosen account's permissions to it.

An alternative that can work is:

  1. Prepare a Cloud Function that will have the authorized users' emails listed.
  2. Cloud Function retrieves the 'Authorization' header of the incoming HTTP request that contains the token generated for the account that made the request.
  3. The function calls the tokeninfo endpoint using the mentioned header to retrieve email of the account (from the JSON response body). The url returning the email will look like this:
url = "https://www.googleapis.com/oauth2/v1/tokeninfo?fields=email&access_token
    =" + token_from_the_request_header;
  1. Verifying that the returned email is in the list of authorized ones.
  2. ... if yes, executing the function's logic.
like image 151
arudzinska Avatar answered Oct 12 '22 15:10

arudzinska

For using Cloud Functions you need to put your modules in buckets. Granting the account ‘storage.buckets.get’ permission to the bucket, you grant authorization to the service account to trigger your HTTP Cloud Function; and similarly, you revoke authorization by removing ‘storage.buckets.get’ permission from another service account.

To set up the ‘storage.buckets.get’ permission you need to either select “Storage Admin” through the standard roles or ‘storage.legacyBucketReader'/’storage.legacyBucketWriter’ from legacy roles or even define a custom role with ‘storage.buckets.get’ permission.

like image 20
Katayoon Avatar answered Oct 12 '22 15:10

Katayoon
Sign in to Comment

Related questions

HTTP Load Balancer Custom Error Page
How to fix incosistent and slow Google Cloud Storage response times?
Kubernetes scaling based on network utilization or requests per second
Elasticsearch as a service for GCP
Angular 7 Routing in Google Cloud App Engine not working
How to access Google Cloud Engine instance's IP address via browser
Google Cloud SQL Storage Usage High Issue
Using Flask Routing in GCP Function?
Google Developers Console API page not loading
How can i implement a CDN with Firebase Storage?
How to Bind and Send from Google Cloud Forwarding Rule IP Address?
GCP - Verify ownership of a cloud function https endpoint for a PubSub push
How to access a GCP Cloud Source Repository from another project?
Difference between Virtual machine and instance
Python Google Cloud Function Logging Severity and Duplicates
Google cloud storage python client AttributeError: 'ClientOptions' object has no attribute 'scopes' occurs after deployment
How to authenticate to Google Cloud API without Application Default Credentials or Cloud SDK?
How to retrieve the most recent file in cloud storage bucket?
Allow Privileged Containers in Kubernetes on Google Container (GKE)
Access Google Drive API from a Google Cloud function

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!