security doubts about google cloud functions

1
votes

I've been reading a lot of questions here about security regarding cloud functions (HTTP triggered) and I also read google's official docs but I couldn't find a clear answer for some questions, so I need help.

Please note that this question is about google's cloud functions made from Google cloud console, nothing to do with firebase.

  1. It's possible to make a function "callable" just from my website? I tried to use cors policy but I have it clear that cors have nothing to do with security, so I'm a little bit worried about how I can keep my cloud function "callable" just from my domain.
  2. On the other hand I created a service account on Google Cloud Platform and I'm trying to use it as an invoker. I have set my service account as invoker but how do I use that on my server?

CASE: I'm creating a log for my web, so I created a cloud function that I call every time someone accesses my site: (I'm using Google Tag Manager server-side).

const sendHttpRequest = require("sendHttpRequest");

const postBody = {
  testing : true
}

  //Calls cloud function
  sendHttpRequest(
   "<CLOUD FUNTION TRIGGER ADDRESS>",
    (statusCode, headers, body) => {
      setResponseStatus(200);
      setResponseBody("done");
    },
    {
      headers: { "content-type": "application/json; charset=utf-8", "Origin" : "https://example.com" },
      method: "POST",
    },
    postBody
  );
}

I would like to know how I can be sure that this cloud function can only be invoked by my server.

Thanks in advance!

1
google-cloud-functions

1 Answers

2
votes

Yes, it's possible.

See Authenticating for Invocation.

The second paragraph provides a good synopsis of why this has some complexity.

You're correct in using a Service Account. Service Accounts are used by software. User accounts are used by humans.

It's unclear where your website is running but it will need to generate an identity token (aka JWT) in order to securely invoke the remote Cloud Function.

See the developer testing example in which an identity token is provided by the Cloud SDK (gcloud) using gcloud auth print-identity-token and then used as the Authorization header value with curl.

That's what your website needs to replicate.

The page recommends (correctly) considering using one of Google SDKs to generating tokens programmatically, because the alternative is gnarly and prone to error.

Unless your website is also running on GCP, you can't use the metadata service .