Reputation: 2458
Limit access to GCP Cloud Function based on domain rather than IAM
I have a function that I want to run via HTTP call in a simple script tag, i.e. <script src="https://server-location.cloudfunctions.net/function-name />. I want to make sure that the calls only come from a whitelisted domain, like you can do with cloud storage access requests, for example.
I've seen a couple of suggestions on SO (1 2 3), but they all suggest either a) IAM credentials in the request headers or b) including some security checks in the function itself. These won't work because a) you can't send headers with a script tag and, even if you could, I'd have to store the credentials in the html which is not secure, and b) security checks in the function will not limit the number of calls made to the function, and that's what I want to do (to prevent a horrendous bill).
Is there a way to do this?
Upvotes: 0
Views: 1137
Answers (1)
Reputation: 75890
You can use a HTTPS Load Balancer with your Cloud Functions in a serverless NEG.
Then you can activate Cloud Armor on your Load balancer and set a custom rule. You can use the request.headers map and filter on the "HOST" key to only accept the requester domain that you want.
Upvotes: 1
Related Questions
- How to make my Cloud Function only be called from my GCP service account
- How to restrict access to triggering HTTP CLoud Function via trigger URL?
- How to give restricted access of specific cloud function to third party
- Restrict access to Google Cloud Functions to a given network?
- Google Cloud Function restrict developer/editor access to function
- How to make http cloud function only accessible from cloud endpoints
- Limiting Access to GCP Resources with Google Identity and IAM
- Restrict access to Google Cloud Function
- How do I restrict who can run my GCP Cloud function?
- What is the correct Permission to give GCP Cloud Function (CF) so that it's callable ONLY from another CF?