Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securing Cloud Function Using API Gateway

Tags:

google-cloud-platform

google-cloud-functions

google-cloud-api-gateway

My goal is to prevent users from accessing my cloud function endpoints by using an API key and API gateway. I have successfully deployed the API gateway; however, the original endpoint of each cloud function still exists and is accessible to the public. I want to have the cloud function endpoints private, while having the api gateway endpoints public, but I am not sure how to achieve this. Any suggestions would be great.

like image 771
Eric101 Avatar asked Oct 17 '25 02:10

Eric101

1 Answers

You can't hide your Cloud Functions endpoint. In any configuration it will be publicly viewable.

However, you can restrict who has access. In your case, deploy your Cloud Functions in secured mode (set the param --no-allow-unauthenticated or remove allUsers from the permissions section)

Then, deploy your API Gateway with a custom (backend) service account. Grant this service account the permission to invoke Cloud Functions (role: cloudfunctions.invoker).

When you have achieve this, only the API Gateway identity will be allowed to access to your Cloud Functions. The users will be able to see and to request the Cloud Functions URL, but they will get a 403 or a 401 error.

EDIT 1

After tests, and with Cloud Functions (I haven't have this case with Cloud Run), the Cloud Functions generated target audience is wrong with you use addition path in your backend. Here the conf that I have

  /function:
    get:
      summary: Greet a user
      operationId: function
      x-google-backend:
        address: https://us-central1-gdglyon-cloudrun.cloudfunctions.net/gdg-go
      responses:
        '200':
          description: A successful response
          schema:
            type: string
  /function-path:
    get:
      summary: Greet a user
      operationId: function-path
      x-google-backend:
        address: https://us-central1-gdglyon-cloudrun.cloudfunctions.net/gdg-go/path
        jwt_audience: https://us-central1-gdglyon-cloudrun.cloudfunctions.net/gdg-go
      responses:
        '200':
          description: A successful response
          schema:
            type: string

The /function uses the root path of the Cloud Functions, no problem to invoke it directly.

The /function-path add /path to the root path of the Cloud Functions. I guess that API Gateway use this same full URL (with the /path at the end) which is a wrong audience for the function.

You can override that with the jwt_audience parameter.

like image 181
guillaume blaquiere Avatar answered Oct 20 '25 06:10

guillaume blaquiere
Sign in to Comment

Related questions

How to fix "Error: Invalid GCS Path Specified" when using Java with Google's Vision API?
Connect to Google Cloud SQL via VPC?
Reconnect to Google Cloud Platform Terminal
How do you automate installation of NVIDIA drivers with a compute image VM from nvidia-ngc-public on GCP?
How to find out when GKE cluster was created?
Persistence in Grafana
GCP - Cloud Run : "Error: The user is forbidden from accessing the bucket"
How to connect to Redis instance (memorystore) from Google's Standard App Engine (Python 3.7)
GCP - can billing be configured at the folder level?
Create a CDN proxy in Google Cloud for Segment analytics
apt-get command not found in coreOS (cos)
Stuck on moving GCP project to an organization

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!