How can I trigger an HTTP Cloud Function from within Google App Engine?

1
votes

I have a Flask app in Google App Engine Standard Environment Python, and I also have a Cloud Function with an HTTP trigger which accepts a JSON body including the URL of a file. The CF downloads the file at that URL then saves it to a GCS bucket. The GAE service account has Cloud Function Invoker permissions, yet when using urlfetch.fetch() in my GAE code to trigger CF, the App Engine code gets a 403 Forbidden error unless I make the CF trigger callable by anyone.

How do I successfully call/trigger CF's from GAE in Python? I assume the answer is one of these:

  1. Set IAM permissions on GAE service account to {enlighten me here}
  2. Add authentication headers in urlfetch.fetch() like so {different enlightenment}
  3. Make CF triggerable from anywhere, but hard code some secret key so the CF code itself handles authentication.
1
pythongoogle-app-enginegoogle-cloud-platformgoogle-cloud-functionsgoogle-cloud-iam
You need to add an HTTP Authorization: Bearer [IDENTITY_TOKEN] header when calling Cloud Functions protected by IAP authorization.John Hanley

1 Answers

0
votes

It's well documented here: Cloud Functions Authentication In short you have to provide your service account credentials in the authentication header.

To get your credentials use the Google Auth Client library. If you are testing from local you should create a service account JSON and load it to the environment variable GOOGLE_APPLICATION_CREDENTIALS but on App Engine it will work from scratch.

After you have gotten your token, pass it as an auth header like so:

    auth_req = google.auth.transport.requests.Request()
    auth_token = google.oauth2.id_token.fetch_id_token(auth_req, cloud_function_url)

    response = requests.post(cloud_function_url, json=payload, headers={"Authorization" : f"Bearer {auth_token}"})