'How to give restricted access of specific cloud function to third party

I have made a set of Cloud Functions and secured them by checking auth header like below

if (!context.auth)
        return { status: "error", code: 401, message: "Not signed in" };

All seems to work pretty well at the moment, it returned 401 for requests without valid auth header.

Then I have one cloud function updateStock() that I wish to share with partner named Bob, where Bob can call it to update us on stock level for example. How do I share this cloud function with Bob and ensure no one else should be able to use this function?

  • can I generate a pair of client ID/secret for Bob use?
  • or should I use Web API Key?
  • I have also heard of setup Webhook on Cloud Run, does that help in this case?


Solution 1:[1]

I have quite a few solutions for you :

  1. You can create a Service Account IAM & Admin -> Services accounts. You need to apply the Cloud Functions Invoker role to this service account, you can use the gcloud cli for this:

    gcloud beta functions add-iam-policy-binding YOUCLOUDFUNCTIONAME --member serviceAccount:NAME-OF-YOUR-SERVICE-ACCOUNT@project-name.iam.gserviceaccount.com
    

    --role roles/cloudfunctions.invoker --region YOUR-REGION

    You will be prompted with a message like this: bindings:

    • members:
    • allUsers
    • YOUR SERVICE ACCOUNT

    Ideally, you need to remove the allUsers role.

    gcloud beta functions remove-iam-policy-binding YOUFUNCTIONNAME --member allUsers --role roles/cloudfunctions.invoker --region us-central1
    

    Then you can add Bob to give the Service Account user role Granting the Service Account User role to a user for a specific service account gives a user access to only that service account.

    Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access. For example, if a service account has been granted the Cloud functions invoker role, a user that has been granted the Service Account Users role (roles/iam.serviceAccountUser) on that service account can act as the service account to invoke a Cloud functions. In this flow, the user impersonates the service account to perform any tasks using its granted roles and permissions.

  2. For preventing external unauthenticated calls, you can set your function private. Very easy to do, deploy it with the --no-allow-unauthenticated param

    gcloud functions deploy my-function --no-allow-unauthenticated --trigger... -- region... --runtimeā€¦

Now you have to perform 2 things:

Create a service account with the correct roles. You can do it by the GUI or with the command line:

gcloud iam service-accounts create your-service-account-name   
gcloud functions add-iam-policy-binding
--member=serviceAccount:your-service-account-name@YOUR_PROJECT_ID.iam.gserviceaccount.com
\ --role=roles/cloudfunctions.invoker your-function-name

With the GUI, if you grant the role cloudfunctions.invoker at project level, your service account will be able to access all functions in your project. With my command line, I only grant the role on a specific function Then again you can add Bob to give the Service Account user role. Granting the Service Account User role to a user for a specific service account gives a user access to only that service account.

  1. You can add authentication to a cloud function by using firebase authentication.Only users who pass a valid Firebase ID token as a Bearer token in the Authorization header of the HTTP request or in a __session cookie are authorized to use the function.

    Here's a github example of how to do to it: https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint

  2. The Google Function Authorizer module might be good for your use case. I cannot vouch for its working but the idea seems pretty close to your use case. It provides "a simple user authentication and management system for Google Cloud HTTP Functions."

Solution 2:[2]

There is a guide provided in the official Cloud Functions documentations on Authenticating for invocation. Add your principal "Bob" as described in the documentation and follow through the steps.

For your Postman use case, you may refer to the section for "Generating tokens manually". Or for quick test using Cloud Shell "gcloud", refer to section "Authenticating Developer Testing".

As always, please let know of issues, if any.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Priyashree Bhadra
Solution 2 Gourav B