Secured & Serverless FastAPI with Google Cloud Run

Published in

CodeX

4 min readJun 17, 2022

Micro-service is a very important concept of modern application.

In data science/data engineer, API backend can be used in order to separate workload, make it modular programing, or even as a data transfer to users.

In this article, I would like to share one of many methods to deploy FastAPI on Google Cloud Run with Google Cloud’s authentication.

Prerequisite

Basic of Python and FastAPI
A little bit of knowledge about PASS and Container
Google Cloud Platform user
Google Cloud SDK installed, from HERE

What is Google Cloud Run?

Google Cloud Run is a serverless Platform-AS-Service (PASS) from Google Cloud Platform (GCP) that we can deploy our container.

You can find out more about “What should I run my stuff” HERE.

And a basic tutorial of Google Cloud Run from this clip HERE.

Hello FastAPI on Google Cloud Run

In this article, I will use the FastAPI’s script that based on FastAPI’s issue in this link HERE and I make some modifications to make it work with Google Cloud Run’s Authentication.

*We will use basic authentication for documents, they are weak, but it is enough for recheck FastAPI’s document for a few minutes, we will add Google’s authentication later anyway.

*For API, we have to use an even weaker authentication because the authentication header must be saved for Google Cloud Run’s authentication that we will add later.

**This password is way too weak, should be hashed and not hard code like my script here, it is just for demonstrate, don’t use in production!!!

In order to deploy FastAPI on Google Cloud Run, we will need to organize our project folder like this.

--project
 |--main.py # put FastAPI's script here
 |--requirements.txt
 |--Dockerfile
 |--.gcloudignore # Optional
 |--.dockerignore # Optional

For requirements.txt, we need to specify our required libraries as below.

fastapi
uvicorn

For Dockerfile, mostly, we will modify a script from this clip HERE.

# Use the official lightweight Python image.
FROM python:3.9-slim# Allow statements and log 
ENV PYTHONUNBUFFERED True# Copy local code to the container image.
ENV APP_HOME /app
WORKDIR $APP_HOME
COPY . ./# Install production dependencies.
RUN pip install -r requirements.txt# Run
CMD ["python", "main.py"]

When everything is ready, all we need to do is to execute 3 more commands from the tutorial clip HERE.

Make sure your cmd point to your project folder

gcloud init

“gcloud init” is to initial your Google Cloud SDK on your PC and also to choose your GCP user and project, more info HERE.

gcloud builds submit --tag gcr.io/{project name}/{container name}

“gcloud builds ...” is to let GCP build a container image from your project folder and “Dockerfile” and store it on Google Cloud Storage, more info HERE.

gcloud run deploy --image gcr.io/{project name}/{container name} --platform manage

“gcloud run ...” is to deploy your container image from “gcloud build …” into Google Cloud Run, more info HERE.

I suggest allowing un-authentication at first to see FastAPI’s documentation.

After that, Google Cloud Run will give an URL to you which will be a basic authentication FastAPI like this picture.

FastAPI with Basic Authentication on Google Cloud Run

We can also test this weak authentication API with python’s requests.

Call FastAPI with weak authentication from Google Cloud Run

So, our FastAPI can be use with authentication from Google Cloud Run.

Authentication with Google

Now, we will use Google’s authentication to secure our API.

Open your GCP project from console webpage.
Create service account and json key from “IAM” page,
-About creating service account HERE
-About creating service account keys HERE|
-Don’t forget to download the key file
Go to the Cloud Run that we just created, look for “PERMISSIONS”.
Delete “allUsers” from “PERMISSIONS”.
Add the service account that created from 2. into this Cloud Run with role “Cloud Run Invoker”.
It may take 2–5 minutes to assign role into this Cloud Run.

After 6 steps above, we should be ready to call our API with new authentication by Google Cloud Run.

So, try again with the same code and you will get error “Unauthorized”.

Unable to call because of Google Cloud Run’s authentication

Now, we need to use additional function from Google’s library and the key file, you can read it from HERE. But we need to make some modifications to make it easy to put API’s parameters.

We can see the result of FastAPI with Google Cloud Run’s authentication will be the same as before as shown in this picture below.

And that is all for FastAPI on Google Cloud Run with authentication.

Limitation

Google Cloud Run has some limits for example, the size of response can’t larger than 32 MB, you can see other limits HERE.