Google Cloud Functions http request only by Google App Engine

1
votes

I have a nodejs app deployed on Google App Engine, which trigger http cloud functions, thought simple http call (using axios) to get data from Google Cloud Sql.

Everyone that will use the site will be able to see the http request and to replicate it.

What is the best way to secure my google cloud functions to be called only from google app engine?

2
google-app-enginegoogle-cloud-platformgoogle-cloud-functions
Possible duplicate of Securing HTTP cloud functionDeniss Tsokarev
Are you not able to query Cloud SQL directly from GAE? Do you have to go through Cloud Functions?Doug Stevenson
@DenisT. the solution in that post require cloud run and endpoints. Moreover, the features are still in beta and the google app engine has the same service account of the cloud functions, so I don't think is a solution for my problem.Francesco Clementi
@DougStevenson yes, it's possible to query Cloud SQL from GAE, but it's not a best practice to build a monolithic application, so I prefer to separate frontend from backend. Moreover I'd like to use my cloud functions in other application.Francesco Clementi
Beta is really stable and efficient on GCP. Simply no SLA, but it works very wellguillaume blaquiere

2 Answers

2
votes

The best way is to deploy a private function.

  • When you deploy your function with the cli use the --no-allow-unauthenticated param. This feature is in Beta
  • On the console, you can't you when you deploy your function. However, you can delete the access to all user in the functions list page
    • Click on the function line (not the name of the function, the line)
    • Show the info panel in the upper right corner
    • Delete allUsers from the cloud function invoker.

enter image description here

Now authorize only AppEngine to access to your function

  • In the console, at the same place (Function Invoker), add the AppEngine default service account : @appspot.gserviceaccount.com
  • With the cli, use this command
gcloud beta functions add-iam-policy-binding <Your Function Name> \
  --member='serviceAccount:<your project id>@appspot.gserviceaccount.com' \
  --role='roles/cloudfunctions.invoker'

Now only the user/service account with the role cloudfunctions.invoker could invoke your function.

0
votes

I feel the post mentioned by @Denis T does mention options for your scenario. Since you commented it does not work for your scenario, did you consider restricting access to Cloud Function to only the App Engine default service account? How to do this is mentioned in the answer quoted by Denis.