How to restrict access to google cloud function, allowing the user to auth on trigger?

4
votes

I have created a Google cloud function, and in the permissions I've added the 'Cloud Functions Invoker' role to the 3 individual users I want to be able to trigger the function.

The function is accessible at the trigger endpoint provided, similar to this: https://us-central1-name-of-my-app.cloudfunctions.net/function-name

I have assigned myself the invoker role on the function. When I enter the URL I get a 403

Your client does not have permission to get URL /function-name from this server.

Since I am signed into my Google account already, I had assumed I would have permissions to access this function.

If not, how can I show the authentication prompt as part of the function without exposing the entire function via allUsers?

1
google-cloud-functions
Google IAM authentication controls for Cloud Functions are not compatible with invocation from a browser. The browser isn't going to send the user's auth credentials - it's meant for service account access only where the auth token is set in the request headers. If you want a web UI, you'll have to build one.Doug Stevenson

1 Answers

1
votes

You can't call directly the function even if you are authenticated on your browser (this feature will come later, when you will be behind a Global Load Balancer and with IAP activated).

So, to call your function you have to present an identity token (not an access token). For this, you can use the gcloud SDK with a command like this (on linux and after having initialized it with your user credentials (gcloud init))

curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" https://....

You can also create an API Gateway in front of it (I wrote an article on this) and use an API Keys for example.