How to send service account token in request to Google Cloud Functions

0
votes

I'm running simple function in Google Cloud Functions to update DNS records (see code here). Currently I create service account with roles/dns.admin privileges and assign that to the function. I'm then relying for Functions' beta support for client authentication & authorization.

Alternative approach could be NOT to provision the service account credentials (with roles/dns.admin) for the function, but instead pass credential in each request.

How can I do this with Go runtime - How can I use the bearer token from the request with the Google API Go client?

Pros/cons in these two approaches?

3
google-cloud-platformgoogle-cloud-functionsgoogle-cloud-dnsgoogle-api-go-client
I guess one "pro" in the current implementation: client can be provisioned with service account with lesser privileges and with no direct access to CloudDNS, while function has full dns.admin privileges.tsaarni

3 Answers

0
votes

The Cloud Function should be able to use its credentials to authorize the request by getting the default credentials and passing it in the DNS client.

Find more info here: Setting Up Authentication for Server to Server Production Applications

0
votes

I found a way to feed an access token originating from the request to the Google API Go client. Here is how I construct the client (r is the incoming http.Request):

ctx := context.Background()

auth := r.Header.Get("Authorization")
token := strings.TrimPrefix(auth, "Bearer ")
ts := oauth2.StaticTokenSource(
    &oauth2.Token{AccessToken: token},
)
c := oauth2.NewClient(ctx, ts)

dnsService, err := dns.New(c)

But after thinking a bit, I do not think this is good approach in my case: the access token is unnecessarily powerful to give to the requester. So I chose the first approach in my original question.