katZwat
katZwat

Reputation: 154

Google Cloud Function :: Service account :: JWT token and Bearer token

I have a Google Cloud Function. I also have a web application. I want to authenticate requests to the cloud function by using a service account.

I have the json key file.

I know that I have to follow https://cloud.google.com/functions/docs/securing/authenticating#service-to-function. But that is leading me to an IAP page that does not apply to google cloud functions.

Another similar instructions are found in https://developers.google.com/identity/protocols/oauth2/service-account

But if I am following the python library code, I end up with the sample code there :

import googleapiclient.discovery

sqladmin = googleapiclient.discovery.build('sqladmin', 'v1beta3', credentials=credentials)


response = sqladmin.instances().list(project='exciting-example-123').execute()

This does not directly relate to invoking a cloud function.

This question's answer somewhat deals with my requirement but is using a Call API which is only suitable for testing.

Also, I want to expose this API to multiple applications using another tech like .net. So I believe the best option for me will be to use the HTTP method (given on the same page):

https://developers.google.com/identity/protocols/oauth2/service-account#httprest

But whatever I do I am unable to get the signature right.

Any help to get this sorted will be highly appreciated as I am stuck on this for the past few days.

Upvotes: 0

Views: 910

Answers (3)

al-dann
al-dann

Reputation: 2725

I want to authenticate requests to the cloud function by using a service account.

I am not sure I understand the context correctly, but I would try to assign a roles/cloudfunctions.invoker IAM role to that service account (which is used to run your code in the web application) - see Cloud Functions IAM Roles .

In that case a code under that service account "Can invoke an HTTP function using its public URL"

I reckon no json keys are required in this case.

Upvotes: 0

katZwat
katZwat

Reputation: 154

For now, I followed this answer in PHP

In the claims section, I removed the scope. Instead added a claim of target_audience. "target_audience" => "google-function-http-trigger"

the cloud function http trigger will look like https://us-central1-test-project-name.cloudfunctions.net/function-name",

This will give the required assertion key.

Then I follow https://developers.google.com/identity/protocols/oauth2/service-account#httprest to get the id_token

Then with the id_token as the bearer token we can call the cloud function.

please note that the token expires depending on the time set in the "exp" claim. Once expired you have to redo the steps to generate the new id_token

Upvotes: 0

guillaume blaquiere
guillaume blaquiere

Reputation: 76010

You can use the Google auth library like this


from google.oauth2.id_token import fetch_id_token
from google.auth.transport import requests

audience="my_audience"
r = requests.Request()

token=fetch_id_token(r,audience)

print(token)

The fetch_id_token method will use the default credentials

  1. The service account key file defined in the environment variable GOOGLE_APPLICATION_CREDENTIALS
  2. The service account loaded in the Google Cloud environment

Upvotes: 1

Related Questions