Secured & Serverless FastAPI with Google Cloud Run
Micro-service is a very important concept of modern application.
In data science/data engineer, API backend can be used in order to separate workload, make it modular programing, or even as a data transfer to users.
In this article, I would like to share one of many methods to deploy FastAPI on Google Cloud Run with Google Cloud’s authentication.
Hello FastAPI on Google Cloud Run
In this article, I will use the FastAPI’s script that based on FastAPI’s issue in this link HERE and I make some modifications to make it work with Google Cloud Run’s Authentication.
*We will use basic authentication for documents, they are weak, but it is enough for recheck FastAPI’s document for a few minutes, we will add Google’s authentication later anyway.
*For API, we have to use an even weaker authentication because the authentication header must be saved for Google Cloud Run’s authentication that we will add later.
**This password is way too weak, should be hashed and not hard code like my script here, it is just for demonstrate, don’t use in production!!!
In order to deploy FastAPI on Google Cloud Run, we will need to organize our project folder like this.
--project
|--main.py # put FastAPI's script here
|--requirements.txt
|--Dockerfile
|--.gcloudignore # Optional
|--.dockerignore # Optional
For requirements.txt, we need to specify our required libraries as below.
fastapi
uvicorn
For Dockerfile, mostly, we will modify a script from this clip HERE.
# Use the official lightweight Python image.
FROM python:3.9-slim# Allow statements and log
ENV PYTHONUNBUFFERED True# Copy local code to the container image.
ENV APP_HOME /app
WORKDIR $APP_HOME
COPY . ./# Install production dependencies.
RUN pip install -r requirements.txt# Run
CMD ["python", "main.py"]
When everything is ready, all we need to do is to execute 3 more commands from the tutorial clip HERE.
Make sure your cmd point to your project folder
gcloud init
“gcloud init” is to initial your Google Cloud SDK on your PC and also to choose your GCP user and project, more info HERE.
gcloud builds submit --tag gcr.io/{project name}/{container name}
“gcloud builds ...” is to let GCP build a container image from your project folder and “Dockerfile” and store it on Google Cloud Storage, more info HERE.
gcloud run deploy --image gcr.io/{project name}/{container name} --platform manage
“gcloud run ...” is to deploy your container image from “gcloud build …” into Google Cloud Run, more info HERE.
I suggest allowing un-authentication at first to see FastAPI’s documentation.
After that, Google Cloud Run will give an URL to you which will be a basic authentication FastAPI like this picture.
We can also test this weak authentication API with python’s requests.
So, our FastAPI can be use with authentication from Google Cloud Run.
Authentication with Google
Now, we will use Google’s authentication to secure our API.
- Open your GCP project from console webpage.
- Create service account and json key from “IAM” page,
-About creating service account HERE
-About creating service account keys HERE|
-Don’t forget to download the key file - Go to the Cloud Run that we just created, look for “PERMISSIONS”.
- Delete “allUsers” from “PERMISSIONS”.
- Add the service account that created from 2. into this Cloud Run with role “Cloud Run Invoker”.
- It may take 2–5 minutes to assign role into this Cloud Run.
After 6 steps above, we should be ready to call our API with new authentication by Google Cloud Run.
So, try again with the same code and you will get error “Unauthorized”.
Now, we need to use additional function from Google’s library and the key file, you can read it from HERE. But we need to make some modifications to make it easy to put API’s parameters.
We can see the result of FastAPI with Google Cloud Run’s authentication will be the same as before as shown in this picture below.
And that is all for FastAPI on Google Cloud Run with authentication.
Limitation
Google Cloud Run has some limits for example, the size of response can’t larger than 32 MB, you can see other limits HERE.