Access Google App Engine endpoint from Firebase cloud function

0
votes

I have a firebase cloud function which gets triggered when there is a change in firebase realtime database. In the cloud function I want to hit my app engine endpoint. The app engine endpoint is configured with security constraint of "admin" only access. (Note: the endpoint is deployed in a different app engine project than my firebase cloud function project. Both the projects are deployed in same google cloud account)

I tried to get the application default credential from the cloud function and used it in the HTTP request to the endpoint but it is getting re-directed to the sign-in page.

What is the role of the application default credential of firebase cloud function? Are there alternate ways of achieving this?

Firebase cloud function:

const gal = require('google-auth-library');

exports.makeUppercase = functions.database.ref('/{deviceId}/status')
.onWrite(event => {

      const auth = new gal.GoogleAuth();

      try {         
        auth.getApplicationDefault().then(
            function(res) {
                let client = res.credential;

                if (client.createScopedRequired && client.createScopedRequired()) {         
                    const scopes = ['https://www.googleapis.com/auth/cloud-platform'];
                    client = client.createScoped(scopes);
                }
                console.log(client);

                const url = 'https://my-secure-service-dot-my-project.appspot.com/secureEndPoint';
                client.request({url}).then(
                    function(response) { 
                        console.log(response.data);
                    }
                ).catch(err => {
                    console.error(err);
                    return err; 
                  });                       
            }
        ).catch(err => {
                    console.error(err);
                    return err; 
                  });
    } catch (e) {
        console.error(e);
    } 
});

EDIT: I deployed the endpoint in the same project as the cloud function project. Still the endpoint access fails

EDIT: Below is the web.xml portion where the security constraints are specified for the end point:

	<security-constraint>
        <web-resource-collection>
            <web-resource-name>all</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
1
firebasegoogle-app-enginegoogle-cloud-functionsservice-accounts
If the cloud function is in project A and endpoint is in project B then service account you are using for cloud function in project A should have permissions in project B. Have you tried to add it in the IAM tab for project B?A.Queue
@A.Queue: I tried with the endpoint and the cloud function deployed in the same project. The result is same. (I had updated my question with this information)Karthik
Could you please share your app.yaml?A.Queue
I have updated the post with the security constraints settingKarthik
As I understand from [documentation]() login: admin is for real users connecting to the endpoints. Wild guess but could that answer be a solution?A.Queue

1 Answers

0
votes

Here are two working examples for accessing a protected GAE endpoint by using Identity Aware Proxy(IAP). Notice: IAP will restrict access to the entire application rather then to specific handlers as with login: admin.

According to app.yaml reference for standard login: admin is a medium for a real user to connect to an endpoint using a browser.