Trigger cloud function programatically from internet with Authorization

Question

I have a service (web client) in AWS which needs to trigger a cloud function in GCP, I want to keep this secured so I cannot allow all users to invoke the mentioned cloud function, but I want to allow my service in AWS to invoke the mentioned cloud function.

I have searched the internet and I have seen following links: link1, link2 but I am unable to find a solution.

all the mentioned solutions talk about generating the required idToken manually but since it is a service I don't have the option to generate the idToken manually, I tried to use service-accounts with keys.json file option but it throws following error:

request https://us-central1-multi-service-app-js.cloudfunctions.net/helloHttp with target audience https://us-central1-multi-service-app-js.cloudfunctions.net/helloHttp

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>401 Unauthorized</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Unauthorized</h1>
<h2>Your client does not have permission to the requested URL <code>/helloHttp</code>.</h2>
<h2></h2>
</body></html>

Answer 1

As you are asking for a general advice, I would suggest to have a look at a GCP Workload Identity Federation. Here are some links:

GCP - Workload identity federation Overview

GCP - Configuring workload identity federation

GCP - Specific configuration description

Medium - Keyless API authentication- Launching GCP workloads from AWS

YouTube - AWS to GCP sans service account keys!! - Workload Identity Federation

YouTube - GCP - Workload Identity Federation - Access GCS Bucket From AWS Lambda Function

One may find plenty of other Workload Identitfy Federation sources of information which are not necessarily AWS related.