Reputation: 396
How do I secure a Google cloud function being used as the host for a Diaglogflow / Google Action
I have a voice application with Dialogflow, google actions, and the code is hosted on a cloud function. The function, Dialogflow and the action all belong to the same google project, and the function is set up as an HTTP trigger. Everything works but my problem is securing the function. The default ingress setting for the HTTP triggered functions is to allow all traffic, but I changed it to "Allow internal traffic only". I don't have a VPC connector set up, but the description of this ingress rule states: "Only traffic from within the same project or the same VPC SC perimeter is allowed". Since the DialogFlow agent and the action all belong to the same project, I would expect it to be able to reach that function without issue. However, with that ingress setting turned on the Action runs into an error when I test in the simulator and when traffic is set to allow all it works. I'm leaving it to internal only because I don't want it open to the world, but I will need to host on my GCF when I want to publish. Googling around I don't see much documentation other than how to set up IAM users and rules to be able to access and update the function itself, but I can't find anything on rules to apply when triggering the function. I'm fairly new to google cloud, I'm sure this has an easy fix, but I just can't find the right answers.
Upvotes: 1
Views: 1108
Answers (1)
Reputation: 81336
The Dialogflow service is not inside your project. Therefore you cannot use the setting to only allow internal traffic.
To be callable by Dialogflow, your Cloud Function function must have a publically accessible HTTPS endpoint.
To protect your Cloud Function function endpoint, use a custom HTTP header with a secret that your function knows about. This is configured in the Webhook (see link below). Your Cloud Function function can still be called by anyone, but your code will check the HTTP header and return an error for unauthorized access.
https://cloud.google.com/dialogflow/docs/fulfillment-webhook#enable
Upvotes: 2
Related Questions
- how to increase the security of my callable cloud function?
- Firebase functions: Securing firebase https functions
- Protect Firebase callable functions from man in the middle
- security rules for cloud function
- Securing Firebase Cloud Function HTTP Endpoint
- Secure HTTP trigger for Cloud Functions for Firebase
- Securing HTTP cloud function
- Using 3rd party API within Dialogflow Fulfillment
- How to secure dialogflow webhook(using firebase functions)?
- Securing Firebase HTTP onCall-Functions