Authenticating request from Cloud Functions to Google Endpoints with Service Account

0
votes

I have a simple cloud function, that is triggered by a creation of a new user on the Firebase Auth, which makes a POST request to a service running on Google Kubernetes Engine together with an ESP (Google-Endpoints).

From what I was able to understand, by reading "Authentication between services" I should be able to define an service-to-service authentication by assigning a security definition related to a Service Account with a Service Account Token Creator role. How would I go about it to authenticate this request, using service accounts, so that only this function could make this request? Could this service account be somehow attributed to the function? Kindly guide me for this issue.

Thank you!

2
google-cloud-platformgoogle-cloud-functionsgoogle-cloud-endpoints
The answer requires more information. What service are you using that is POSTing to a Kubernetes service? Some services have built-in OAuth Identity features (Cloud Scheduler, Cloud Run, Cloud Functions, etc.) For these services you just set a command-line option. For other services, you need to either request an Identity Token (Compute Engine) or create one using Google OAuth APIs. The end result is that your Kubernetes service will need to process the HTTP Authorization: Bearer TOKEN header which contains an OAuth Identity Token.John Hanley
How is configure your k8s cluster? which service are communicate? Do you use service mesh layer for doing a service to service authentication?guillaume blaquiere
@JohnHanley The POST request is done by a Cloud Function, I say so in the beginning of the question.lgonc
@guillaumeblaquiere How is this relevant to the question? This is just authentication between cloud function and an endpoint (Google Endpoints).lgonc
There is a difference between saying "my cloud function" and saying I am using Google Cloud Functions. Clarity is a key component of good questions. Then my comment has your answer. Cloud Functions supports the command line option / configuration option --service-account. That sets the Identity that functions uses. On the other side, you need to verify the token received in the HTTP header. cloud.google.com/sdk/gcloud/reference/functions/deployJohn Hanley

2 Answers

0
votes

Cloud Functions are using by default the App Engine service account.

In order to achieve that you need to follow these four steps:

1) Add the service account to the access list for the Cloud IAP- secured project

2) Generate a JWT-based access token

3) Request an OIDC token for the Cloud IAP-secured client ID

4) Include the OIDC token in an Authorization: Bearer header to make the authenticated request to the Cloud IAP - secured application

Here you can see a guide where these steps are explained in detail and some code example in order to achieve the programmatic authorization of the default service account.

0
votes

Could this service account be somehow attributed to the function? Kindly guide me for this issue.

During function execution, Cloud Functions uses the service account PROJECT_ID@appspot.gserviceaccount.com as its identity. However, you can assign to your function its own identity. You can deploy your cloud function with a services account that has the correct role.

Then the function uses the service account's private key to sign a secure JSON Web Token (JWT) and sends the signed JWT in the request to your API.

You will configure your API to support authentication by adding the service account as an issuer in your OpenAPI document.

Before ESP forwards a request to your API, ESP verifies: signature, issuer claim, audience claim and token.

In this way only this function could make the api request.

Here you can find official documentation Function Identity, Authentication between services.