Open in app

Sign in

Write

Sign in

GCP: Cloud functions authentication

Naveen Kulkarni
3 min readJul 21, 2020

--

When building REST APIs one of the most common requirement is to enable so sort of authentication so that only trusted users/services can access it. It can be as simple as an API key authentication(not recommended for production) to something like oAuth2, OICD etc. depending on the use cases.

Google has again done a great job with this regards, when using cloud functions the authentication comes under the hood for us. There are two ways to achieve this,
* Network based: We can restrict and choose to forward only internal requests.
* JWT auth token: Using the service account we can sign a JWT and if the allow unauthenticated check is disabled, google will check if JWT is present and validate the token( The service account of the caller must have cloud functions invoker role).

In this post I’ll be talking about the network based authentication and will show how we can achieve this, this can only be used for the cloud functions which are within a project.

Using internal network:
Let’s create a consumer cloud function which just returns hello world for now. For the purpose of this example I will be using Java, but you can go ahead and use any runtime environment of your choice.
All we need to do in this function is just edit the ingress rule to allow only internal traffic, at this point any requests outside the network will be blocked.

Note: If the allow authentication check is enabled we will have to pass the authorization token in the request.

Options to edit the ingress rule

Now we just need add an ingress rule to allow only internal traffic, see the below image for more information.

Only allowing the internal traffic flow

Now try accessing the endpoint from outside the network, like your browser, you won’t be able to access the endpoint.

Lets consume this endpoint from another cloud functions, even if we call the API from another function we still won’t be able to reach it. We would need to create a VPC,VPC connector and configure the egress rules of the caller functions.

(Note: Please ensure the VPC connector and the cloud functions are in same region or we are using some global connector)
Lets start by creating VPC, from the hamburger menu select the VPC networks under VPC network and create a new VPC network.

More information for VPC can be found here

VPC connector: You can about the VPC connector from here.
Again from the hameburger menu select serverless VPC access under VPC networks, create a connector and enter the following options.

Adding Egress rule: Lets create another cloud function which will consume the endpoint, for time being let’s keep the cloud function open so that we can call it from some rest client.
We will use the egress rules to direct the call through a VPC so that we fall in the same network, configuration is as shown below.

Once you deploy this cloud function, you would be able to call the restricted one as you fall in the same network.

--

--

Naveen Kulkarni

Written by Naveen Kulkarni

3 Followers

Programmer with solid work experience in Java,javascript, AWS,GCP, Kubernetes, Docker, Terraform, Kafka and nosql

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams