Google Cloud function - how to authenticate while calling Google App Engine

1
votes

We have an application in App Engine Standard Python 2.7. We also have a Cloud Function in this project.

We would like to do a HTTP POST request to one of the resources in the App Engine application. Currently we have the following code in Cloud Functions

url = "https://project-name.appspot.com/urlidentifier"

data_obj = {
    'sample' : 'data'
}

data_json = json.dumps(data_obj)
data_encode = urllib.parse.urlencode(data_json).encode("utf-8")

req =  request.Request(url, data=data_encode) # this will make the method "POST"
resp = request.urlopen(req)

Application in Python 2.7 is authenticated using Firebase user authentication. Please see here for details.

Our question - how do we enforce authentication of the application's resource when the HTTP POST is initiated by the Cloud Function (instead of the user). The application resource (https://project-name.appspot.com/urlidentifier) is a function in the project. Can we use service accounts? If yes, how do we do this?

Both the Cloud Function and the application belong to the same project.

1
google-cloud-platformgoogle-cloud-functionsgoogle-authenticationgoogle-app-engine-python

1 Answers

0
votes

You can authenticate via the function's existing service identity, see:

https://cloud.google.com/run/docs/authenticating/service-to-service

(This documentation is for Cloud Run, but the pattern is the same for Cloud Functions. You'll need to give the App Engine invoker role to the service account for the function instead).