This doc notes that an alternative method for storage change notification (other than creating a topic and a subscription) is to use a cloud function, and in this doc defines a function with exports.helloGCSGeneric = (event, callback) => {. . . and gcloud beta functions deploy helloGCSGeneric --trigger-resource [YOUR_TRIGGER_BUCKET_NAME]
What are the security concerns around this? I could see that to set up the notification one would have to be authorized. But can anyone who isn't authorized reach this cloud function?
The usual problem is that if pub/sub can call an https: endpoint, then anyone can. Google blushes and says yeah, make a secret key and pack it in the message, if you care. (See this SO question for a proposed method--Secure Google Cloud Functions http trigger with auth.) But even so, this notification message comes originally from cloud storage so that technique can't be used.
Can anyone hit the endpoint leading to the helloGCSGeneric function above? How would one secure this endpoint?
