Invoking GCP cloud function from an external webhook

Question

Setup:

I have an integration where if any event happens a webhook gets triggered and it posts data to a GCP cloud function. On figuring out that cloud functions need some authentication, I created a service account in GCP and gave it cloud function invoke permission.

Using this service account JSON I created a Bearer token using the below commands: gcloud auth activate-service-account --key-file=cred.json and gcloud auth print-identity-token which gave me the bearer token.

With this token, I was able to authenticate the cloud function invocation. But after some time the token got expired (probably short-lived tokens)

Question: Is this the right way for GCP cloud function authentication or there is a better way? I don't have an application, so it is not feasible to change the auth token dynamically.

Answer 1

If your webhook can't generated a bearer token automatically, you need to use a static authentication mechanism. It's not a good security solution (because it's a long lived token, and therefore if someone steals it, they will be able to use it for a long time).

Anyway, it's better than nothing!!

I wrote a quite old article on that where I propose to use an API Key to secure the communication channel. And to use ESPv2 deployed on Cloud Run.

Now, you can use API Gateway, it's the same thing but fully managed by Google.

The principle is to use API Gateway as proxy which check the validity of the API Key, and if it's OK, it forward the request to the backend (here a Cloud Function). You Cloud Functions is still secured because the API Gateway use its own backend service account to generated an identity token and to be authenticated on Cloud Functions.