Restricting access to AWS lambda flask application

Question

We deployed our flask application to AWS lambda and would like to restrict to access to it to:

• Our development team (some external IP for everyone)
• Wordpress server (static IP)
• Bitbucket (for automatic deploys to lambda)
• Google oAuth2 (callback function to lambda)

The first two are fairly easy to accomplish by whitelisting the respective IP in the AWS Gateway or in flask itself. However, the latter two are a bit more tricky since there's no static IP for the bitbucket pipeline nor when receiving the oauth2 callback from Google.

I've looked at the referer in the Http header to identify Google's callback which works but it can be spoofed easily...

Is there a sophisticated way of locking the app down to the above sources?

Here is the version I've got so far

def whitelist_handler():
    whitelist_ips = os.getenv('WHITELIST_IPS')
    allow_access = True

    if whitelist_ips:
        whitelist_ips = whitelist_ips.split(',')
        referer = request.headers.get('Referer', '')

        whitelist_domains = ['https://accounts.google.com/signin/']

        if request.remote_addr not in whitelist_ips and not any([referer.startswith(domain) for domain in whitelist_domains]):
            allow_access = False

    if not allow_access:
        abort(401) 

Answer 1

Bitbucket

For Bitbucket, the pipelines do actually have static IP addresses as listed on the docs.

Google OAuth

For OAuth, I'm not sure what you're doing here but no part of the OAuth flow involves the provider (Google) needing to send web requests to your application. OAuth works entirely off redirecting the user (who should already have access through your other rules). You can read about this flow here.

So as long as your rules allow your users IPs then there's nothing you need to do for Google. This flow is why it's possible to use OAuth for local or intranet applications.