Reputation: 457
security doubts about google cloud functions
I've been reading a lot of questions here about security regarding cloud functions (HTTP triggered) and I also read google's official docs but I couldn't find a clear answer for some questions, so I need help.
Please note that this question is about google's cloud functions made from Google cloud console, nothing to do with firebase.
- It's possible to make a function "callable" just from my website? I tried to use
corspolicy but I have it clear thatcorshave nothing to do with security, so I'm a little bit worried about how I can keep my cloud function "callable" just from my domain. - On the other hand I created a service account on Google Cloud Platform and I'm trying to use it as an invoker. I have set my service account as invoker but how do I use that on my server?
CASE: I'm creating a log for my web, so I created a cloud function that I call every time someone accesses my site: (I'm using Google Tag Manager server-side).
const sendHttpRequest = require("sendHttpRequest");
const postBody = {
testing : true
}
//Calls cloud function
sendHttpRequest(
"<CLOUD FUNTION TRIGGER ADDRESS>",
(statusCode, headers, body) => {
setResponseStatus(200);
setResponseBody("done");
},
{
headers: { "content-type": "application/json; charset=utf-8", "Origin" : "https://example.com" },
method: "POST",
},
postBody
);
}
I would like to know how I can be sure that this cloud function can only be invoked by my server.
Thanks in advance!
Upvotes: 1
Views: 451
Answers (1)
Reputation: 40081
Yes, it's possible.
See Authenticating for Invocation.
The second paragraph provides a good synopsis of why this has some complexity.
You're correct in using a Service Account. Service Accounts are used by software. User accounts are used by humans.
It's unclear where your website is running but it will need to generate an identity token (aka JWT) in order to securely invoke the remote Cloud Function.
See the developer testing example in which an identity token is provided by the Cloud SDK (gcloud) using gcloud auth print-identity-token and then used as the Authorization header value with curl.
That's what your website needs to replicate.
The page recommends (correctly) considering using one of Google SDKs to generating tokens programmatically, because the alternative is gnarly and prone to error.
Unless your website is also running on GCP, you can't use the metadata service .
Upvotes: 2
Related Questions
- Firebase functions: Securing firebase https functions
- Passing sensitive information to cloud functions
- How do i handle secrets in Google Cloud Functions?
- security rules for cloud function
- How dangerous is it for me to leave a Cloud Function exposed to the public?
- Securely calling a Google Cloud Function via a Google Apps Script
- Firebase callable cloud functions security & CORS
- What are the authentication aspects of Google Cloud Functions?
- Securing HTTP cloud function
- Is firebase functions http requests secure