0

I have a firebase cloud function which gets triggered when there is a change in firebase realtime database. In the cloud function I want to hit my app engine endpoint. The app engine endpoint is configured with security constraint of "admin" only access. (Note: the endpoint is deployed in a different app engine project than my firebase cloud function project. Both the projects are deployed in same google cloud account)

I tried to get the application default credential from the cloud function and used it in the HTTP request to the endpoint but it is getting re-directed to the sign-in page.

What is the role of the application default credential of firebase cloud function? Are there alternate ways of achieving this?

Firebase cloud function:

const gal = require('google-auth-library');

exports.makeUppercase = functions.database.ref('/{deviceId}/status')
.onWrite(event => {

      const auth = new gal.GoogleAuth();

      try {         
        auth.getApplicationDefault().then(
            function(res) {
                let client = res.credential;

                if (client.createScopedRequired && client.createScopedRequired()) {         
                    const scopes = ['https://www.googleapis.com/auth/cloud-platform'];
                    client = client.createScoped(scopes);
                }
                console.log(client);

                const url = 'https://my-secure-service-dot-my-project.appspot.com/secureEndPoint';
                client.request({url}).then(
                    function(response) { 
                        console.log(response.data);
                    }
                ).catch(err => {
                    console.error(err);
                    return err; 
                  });                       
            }
        ).catch(err => {
                    console.error(err);
                    return err; 
                  });
    } catch (e) {
        console.error(e);
    } 
});

EDIT: I deployed the endpoint in the same project as the cloud function project. Still the endpoint access fails

EDIT: Below is the web.xml portion where the security constraints are specified for the end point:

 <security-constraint>
        <web-resource-collection>
            <web-resource-name>all</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
Karthik
  • 93
  • 11
  • If the cloud function is in project A and endpoint is in project B then service account you are using for cloud function in project A should have permissions in project B. Have you tried to add it in the IAM tab for project B? – A.Queue Jan 16 '18 at 10:33
  • @A.Queue: I tried with the endpoint and the cloud function deployed in the same project. The result is same. (I had updated my question with this information) – Karthik Jan 16 '18 at 11:27
  • Could you please share your app.yaml? – A.Queue Jan 17 '18 at 11:35
  • I have updated the post with the security constraints setting – Karthik Jan 17 '18 at 15:08
  • As I understand from [documentation]() `login: admin` is for real users connecting to the endpoints. Wild guess but could [that answer](https://stackoverflow.com/questions/43146565/calling-appengine-from-firebase-functions) be a solution? – A.Queue Jan 18 '18 at 09:29
  • Link to the documentation: https://cloud.google.com/appengine/docs/standard/python/config/appref#handlers_login_admin – A.Queue Jan 18 '18 at 10:47
  • Thanks for pointing to the link! It seems that cannot access an endpoint with "admin" security constraint for this purpose. If I remove the security constraint, is there a way by which I can use the service account credentials (sent in the HTTP request) to authenticate the endpoint access? – Karthik Jan 19 '18 at 12:00

1 Answers1

0

Here are two working examples for accessing a protected GAE endpoint by using Identity Aware Proxy(IAP). Notice: IAP will restrict access to the entire application rather then to specific handlers as with login: admin.

According to app.yaml reference for standard login: admin is a medium for a real user to connect to an endpoint using a browser.

A.Queue
  • 1,549
  • 6
  • 21
  • I haven't tried this option yet, but from the documentation it seems that it would work. So, I will go ahead and accept the answer. Thanks! – Karthik Feb 06 '18 at 11:14