How do I avoid people being able to access my GCP function when NOT using a Gateway and API?
I have a simple cloud function...
import functions from "@google-cloud/functions-framework";
const protectedExample = (req, res) => {
res.send('Protected example');
};
functions.http('protectedExample', protectedExample);
export {protectedExample}
Then I protect it using my API...
swagger: '2.0'
info:
title: hw-api Gateway
description: Sample API Gateway
version: 1.0.1
securityDefinitions:
auth0:
type: oauth2
flow: implicit
x-google-issuer: https://.../
x-google-jwks_uri: https://.../.well-known/jwks.json
x-google-audiences: https://.../node
authorizationUrl: https://.../authorize
scopes:
"access:node": Grants read access
schemes:
- https
produces:
- application/json
paths:
/protected:
get:
security:
- auth0: [ "access:node" ]
summary: Greet a user
operationId: hello
x-google-backend:
address: https://us-central1-....cloudfunctions.net/protectedExample
responses:
'200':
description: A successful response
schema:
type: string
This works great from an API perspective, however, when I run the following...
gcloud functions describe protectedExample
then try to call the endpoint described by
httpsTrigger:
securityLevel: SECURE_ALWAYS
url: https://us-central1-....cloudfunctions.net/protectedExample
I can still access the function. How do I prevent external people from accessing it except through the Gateway?
I tried --ingress-settings=internal-and-gclb but then I get
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Forbidden</h1>
<h2>Access is forbidden.</h2>
<h2></h2>
</body>
When I try to call it through the Gateway.
In order to make the Cloud Function endpoint private but still accessible to the API Gateway, you have to give the API Gateway service account the roles/cloudfunctions.invoker role, and that the gateway's service account has the cloudfunctions.functions.invoke permission.
Make sure to also remove the allUsers role from the permissions list for the Cloud Function or deploy your Cloud Functions securely by setting the param to --no-allow-unauthenticated.
- How to pull docker image from Google Artifact Registry in k8s deployment.yaml via imagePullSecrets
- Configure uptime check via trigger cloudbuild YAML
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Query data in a key-value table
- Is it possible to create daily budget alerts in GCP?
- Get service account auth token without gcloud?
- GoogleHadoopOutputStream: hflush(): No-op due to rate limit
- Delete all objects from a directory in google storage bucket using cloud storage options
- How do I add a .env file in gitlab ci during deployment stage?
- Bigquery: "User does not have bigquery.jobs.create permission" with roles/bigquery.admin
- Are GCP workflow shared variables thread safe?
- Stripe Error: No signatures found matching the expected signature for payload
- Google Cloud REST API for Artifact Registry - URL is 404
- Google Cloud Run weird behaviour only for path /healthz
- Google Apps Script 403: The caller does not have permission
- Querying for a Google Dataplex Entry only returns names of attached custom Aspects, not the Aspect values
- Why are BQ snapshots using the full storage amount of the original table?
- Google Document AI value types Money vs Currency
- Access Blocked: <project> has not completed the Google verification process
- How to fetch real-time google cloud run job logs?
- How do I know if an Google App Engine instance is Standard or Flexible?
- How to get the latest key version in Google Cloud KMS?
- `PermissionError: [Errno 13] Permission denied: 'C:/Users'` on Google Cloud Storage
- What is the effect of assigning an IAM role to a domain in GCP?
- Permission 'storage.buckets.get' denied on resource (or it may not exist)
- Firestore Bandwidth costs for downloading documents with large embedding vectors
- Google Cloud Functions: missing main.py
- Batch Prediction for Object Detection Auto ML took so long
- Why is this Workload Identity Pool not being created?
- Is there a way to copy from a Google Sheets that is copy locked?