3

My goal is to prevent users from accessing my cloud function endpoints by using an API key and API gateway. I have successfully deployed the API gateway; however, the original endpoint of each cloud function still exists and is accessible to the public. I want to have the cloud function endpoints private, while having the api gateway endpoints public, but I am not sure how to achieve this. Any suggestions would be great.

Eric101
  • 161
  • 10
  • Setup "API Gateway" to "Cloud Functions" authorization. https://cloud.google.com/api-gateway/docs/securing-backend-services#cloud_functions – John Hanley Mar 19 '21 at 22:23

1 Answers1

1

You can't hide your Cloud Functions endpoint. In any configuration it will be publicly viewable.

However, you can restrict who has access. In your case, deploy your Cloud Functions in secured mode (set the param --no-allow-unauthenticated or remove allUsers from the permissions section)

Then, deploy your API Gateway with a custom (backend) service account. Grant this service account the permission to invoke Cloud Functions (role: cloudfunctions.invoker).

When you have achieve this, only the API Gateway identity will be allowed to access to your Cloud Functions. The users will be able to see and to request the Cloud Functions URL, but they will get a 403 or a 401 error.

EDIT 1

After tests, and with Cloud Functions (I haven't have this case with Cloud Run), the Cloud Functions generated target audience is wrong with you use addition path in your backend. Here the conf that I have

  /function:
    get:
      summary: Greet a user
      operationId: function
      x-google-backend:
        address: https://us-central1-gdglyon-cloudrun.cloudfunctions.net/gdg-go
      responses:
        '200':
          description: A successful response
          schema:
            type: string
  /function-path:
    get:
      summary: Greet a user
      operationId: function-path
      x-google-backend:
        address: https://us-central1-gdglyon-cloudrun.cloudfunctions.net/gdg-go/path
        jwt_audience: https://us-central1-gdglyon-cloudrun.cloudfunctions.net/gdg-go
      responses:
        '200':
          description: A successful response
          schema:
            type: string

The /function uses the root path of the Cloud Functions, no problem to invoke it directly.

The /function-path add /path to the root path of the Cloud Functions. I guess that API Gateway use this same full URL (with the /path at the end) which is a wrong audience for the function.

You can override that with the jwt_audience parameter.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • 1
    So I removed the allUsers from the permissions section, and then I gave my service account the role of cloudfunctions.invoker; however, when calling the function I get a 401 error: Unauthorized? – Eric101 Mar 20 '21 at 15:24
  • I edited my answer. You are either in a special case, or in a bug. I proposed a workaround that worked for me. let me know if for you also. – guillaume blaquiere Mar 20 '21 at 20:59