0

I have a Google Cloud Function. I also have a web application. I want to authenticate requests to the cloud function by using a service account.

I have the json key file.

I know that I have to follow https://cloud.google.com/functions/docs/securing/authenticating#service-to-function. But that is leading me to an IAP page that does not apply to google cloud functions.

Another similar instructions are found in https://developers.google.com/identity/protocols/oauth2/service-account

But if I am following the python library code, I end up with the sample code there :

import googleapiclient.discovery

sqladmin = googleapiclient.discovery.build('sqladmin', 'v1beta3', credentials=credentials)


response = sqladmin.instances().list(project='exciting-example-123').execute()

This does not directly relate to invoking a cloud function.

This question's answer somewhat deals with my requirement but is using a Call API which is only suitable for testing.

Also, I want to expose this API to multiple applications using another tech like .net. So I believe the best option for me will be to use the HTTP method (given on the same page):

https://developers.google.com/identity/protocols/oauth2/service-account#httprest

But whatever I do I am unable to get the signature right.

Any help to get this sorted will be highly appreciated as I am stuck on this for the past few days.

katZwat
  • 154
  • 1
  • 10

3 Answers3

1

You can use the Google auth library like this


from google.oauth2.id_token import fetch_id_token
from google.auth.transport import requests

audience="my_audience"
r = requests.Request()

token=fetch_id_token(r,audience)

print(token)

The fetch_id_token method will use the default credentials

  1. The service account key file defined in the environment variable GOOGLE_APPLICATION_CREDENTIALS
  2. The service account loaded in the Google Cloud environment
guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • Thanks for the response. Does this method assume that I have my application hosted in my Google Cloud project? – katZwat Jan 22 '21 at 17:57
  • Not only. If hosted on Google Cloud, the service account of the service is used. If elsewhere, in your computer, or on other environment, you can use a service account key file, and define the `GOOGLE_APPLICATION_CREDENTIALS` that points to it. – guillaume blaquiere Jan 22 '21 at 20:11
0

For now, I followed this answer in PHP

In the claims section, I removed the scope. Instead added a claim of target_audience. "target_audience" => "google-function-http-trigger"

the cloud function http trigger will look like https://us-central1-test-project-name.cloudfunctions.net/function-name",

This will give the required assertion key.

Then I follow https://developers.google.com/identity/protocols/oauth2/service-account#httprest to get the id_token

Then with the id_token as the bearer token we can call the cloud function.

please note that the token expires depending on the time set in the "exp" claim. Once expired you have to redo the steps to generate the new id_token

katZwat
  • 154
  • 1
  • 10
0

I want to authenticate requests to the cloud function by using a service account.

I am not sure I understand the context correctly, but I would try to assign a roles/cloudfunctions.invoker IAM role to that service account (which is used to run your code in the web application) - see Cloud Functions IAM Roles .

In that case a code under that service account "Can invoke an HTTP function using its public URL"

I reckon no json keys are required in this case.

al-dann
  • 2,545
  • 1
  • 12
  • 22