How to Secure App Engine Pub/Sub Push Endpoint Triggered by GCS?

0
votes

I'm trying to find a way to secure my google cloud app engine standard environment endpoint subscribed to a push pub/sub topic triggered by the creation of a file on google cloud storage.

Since it's only possible to set IP address to the firewall rules of app engine and pub/sub doesn't have a predefined set of IP address it's not possible to use this feature. It's also not possible to use a custom header on pub/sub call and check its validity on the app engine since I have no control over the pub/sub request.

Any suggestion on how to secure the app engine endpoint?

Thanks

1
google-app-enginegoogle-cloud-platformgoogle-cloud-storagegoogle-cloud-pubsub

1 Answers

0
votes

Cloud Pub/Sub push does not play well with IP based firewall rules. Making your push notification security based on IP addresses is not the most efficient way.

OAuth and Service Accounts can useful to authenticate access to Google products, such as Cloud Pub/Sub. This will prevent outsiders from accessing your Pub/Sub API for as long as they are not included under a specific service account.

Additionally, in order for your push notifications to be secured, I would follow either of these two solutions:

To confirm that the push notification originates from Cloud Pub/Sub. You could configure endpoints which only accept messages that contain a secret token.

Set up your own push proxy. A simple stateless service might pull messages from Pub/Sub and push them from a fixed IP address to your webhook. Pub/Sub offers value in this setup by providing scaling and availability.

Additionally, I'm not sure if you already implemented exactly this and did not work, but this link from another Stackoverflow issue may be helpful