Reputation: 791
Secure Google Cloud Functions Calls from Server-Side, Authentication strategy?
I have developed a Google Cloud Function (GCF) in python, which i want to access from a web service deployed on AWS (written in python). While in the development phase of the GCF, It had Cloud Function Invoker permission set to allUsers. I assume that is why it didn't ask for an Authorization Token when called.
I want to revoke this public access and make it so that i can only call this function from the web service code and it is not accessible public-ally.
Possible Approach :In my research i have found out that this can be done using the following steps:
- Removing all the unnecessary members who have permissions to the GCF.
- Creating a new service account which has restricted access to only use GCF.
- Download the service account key (json) and use it in the AWS web application
- Set environment variable
GOOGLE_APPLICATION_CREDENTIALSequal to the path of that service account key (json) file.
Questions
How to generate the Access token using the service account, which may then be appended as
Authorization Bearerwithin the HTTP call made to theGCF? Without this token theGCFshould throw error.The docs say not to put the service account key in the source code. Then what is the best way to go about it. They suggest to use KMS which seems like an overkill.
Do not embed secrets related to authentication in source code, such as API keys, OAuth tokens, and service account credentials. You can use an environment variable pointing to credentials outside of the application's source code, such as Cloud Key Management Service.
- What are the bare minimum permissions i will require for the service account?
Please feel free to correct me if you think my understanding is wrong and there is a better and preferable way to do it.
UPDATE: The web service on AWS will call the GCF in a server-to-server fashion. There is no need to propagate the client-end (end-user) credentials.
Upvotes: 2
Views: 1151
Answers (1)
Reputation: 75810
In your description, you don't mention who/what will call your GCF. A user? A Compute? Another GCF? However, this page can help you to find code example
Yes, secret in plain text and pushed on GIT is not yet a secret! Here again, I don't know what performing the call. If it's a compute, functions, cloud run, or any service of GCP, don't use JSON file key, but the component identity. I would say, create a service account and set it to this component. Tell me more on where are you deploying if you want more help!
Related to 2: if you have a service account, what the minimal role: cloudfunctions.Invoker. It's the minimal role to invoke function
gcloud beta functions add-iam-policy-binding RECEIVING_FUNCTION \
--member='serviceAccount:CALLING_FUNCTION_IDENTITY' \
--role='roles/cloudfunctions.invoker'
Upvotes: 1
Related Questions
- Authenticate calls to Google Cloud Functions programmatically
- Google Service account authentication for API call using python
- How to authenticate google cloud functions for access to secure app engine endpoints
- Securely calling a Google Cloud Function via a Google Apps Script
- Authenticate Google Cloud Function Call outside GCP Environment
- How to authenticate Python client app for access to restricted Google Cloud function?
- Invoking Google Cloud Function from python using service account for authentication
- How to handle keys and credentials when deploying to Google Cloud Functions?
- Securing Google Cloud Functions using WSO2
- Google Cloud Functions authentication to other GCP APIs