Authorization Header GCP Cloud Function

0
votes

I'm setting up a cloud function which will only be callable by a specific service account, I've added this service account as Invoker to my cloud function, but how can I use this service account when calling the Cloud Function from a React App? I've added the Authorization Header to my Axios call and to get the token I'm sending to it I'm using this code https://github.com/salrashid123/google_id_token/blob/master/nodejs/GoogleIDToken.js and sending it in the Authorization header.

1
google-cloud-platformaxiosgoogle-cloud-functionsauthorization
Post your code. Include error messages. Explain the problem that you are having. Read this link: stackoverflow.com/help/how-to-ask When asking for help for this type of question, show the HTTP request headers that you are sending also. - John Hanley

1 Answers

0
votes

The service account is designed for identifying "no human requester", I mean machine to machine. The service account key file contains the secret, and each secret has to be keep secret. You can't use this secret in a public app, else your secret is no longer secret!

In the case of your ReactApp, you have a human logged on the app. He has his own secrets (login password for example). And thus his own JWT token. Thereby, there is 2 solutions:

  • Either your user has a Google account (gmail, gsuite, cloud identity,...) and you can add him as Cloud Function Invoker directly
  • Or, you have to pass through a backend. Your React app call the backend with the user identity, you perform your own security check on the backend. This backend use the Service Account for calling the Cloud Function and forward the answer to the React app.