How make external company use cloud function API

Question

I have cloud functions that are open to all users. I want to authorize any use of these functions.

My case is that I want other companies to access my API but not any other user I have not added.

The documentations from google have not helped me with my specific case.

Is the correct way to do this create a service account for the companies to invoke the API endpoints?

Or should I create a JWT token and verify it somehow? link

Or do I need to create a Cloud Endpoint Gateway?

OAuth 2 is not suitable since I cannot show the consent screen since it is not a single user.

I'm feeling a bit lost here, thanks for any help! :)

I have tried so many things and none of them works so far, including the ones above. I just want help in the right direction for this case!

Answer 1

you have 2 solutions to authenticate the users:

• Either you use the IAM service to filter who can access to your service. The tradeoff is the requirement to have a Google account (gmail, workspace,...) and it can't fit to external users use cases (because you can't predict which will be their identity provider)
• Or to use a proxy layer in front of your service, such as API Gateway, or APIGee if you have the budget for.

With API Gateway, you can set up security defition to accept firebase users (great article here) or API Keys (especially for machine to machine communication. I wrote an article on that with ESPv2, but it's the same concept with API Gateway)

Answer 2

Have you tried to invite, in your gcp project, some email adresses of these companies - setting their IAM policy role as "Cloud Functions Invoker" ?

Also, there is an "permissions" tab in your Cloud Functions user interface

Don't know if it fits to your case but maybe you'll bounce on that to go further :)