-1

I have a React app running on google cloud run, with user authentications and permissions.

Now I would like to write documents for the app. The documents will be a static site holding at google cloud storage.

In the app, users with different permissions can access different routes of the app, and it would be great if the permissions work for documents too.

My untested solution is to control user access to the app routes, and certain route renders a page, that containing an <Iframe> which retrieves the documents and then display it.

My question is: is it possible to restrict access to the static site, to allow only access from the react app holding at cloud run?

Or is there any suggestion about access control of app documents?

"documents" were supposed to be html files converted from markdown files. They're documentations about what the app is and how to use the app.

And I don't want the part of the documentation about "admin configuration of the app" to be seen by users with regular authorization.

Holding the documentation as a static site is simpler. I can use gitbook (or other tools) to render the markdown file. Managing & rendering the styles of the markdown files in React would be a little painful.

I'm still working on my English. Sry about the confusions.

CSSer
  • 2,131
  • 2
  • 18
  • 37
  • What do you mean by document? Why do you need GCS? Why do you need iframe? Why don't you serve the content from a Cloud Run service instead of GCS? – Pentium10 Nov 29 '20 at 18:25
  • Iframe or not, ask yourselves: Who will request the documents? Cloud Run? The browser? The answer will shape the design of your solution! – guillaume blaquiere Nov 29 '20 at 19:25
  • 1) If you are embedding something in an IFrame, the requests do not come from Cloud Run, they come from the user's browser. Therefore Cloud Run is not the source of the requests so the answer is NO. 2) By fiddling with routes, you are attempting security by obscurity. That is bad/no security. The resulting URL is viewable. 3) To display resources from Cloud Storage in an IFrame will either require the bucket/object to be public or you will need to implement Cloud Storage authorization. Presigned URLs with short lifetimes is an option. – John Hanley Nov 30 '20 at 02:43
  • 4) Study the various Cloud Storage authorization mechanisms and pick one that meets your objectives. – John Hanley Nov 30 '20 at 02:43
  • what do you mean by documents? firestore documents? why would they be a static website? if the documents are nothing but cloud storage objects, then you can serve them in your cloud run service using the cloud storage client library. https://cloud.google.com/storage/docs/reference/libraries#using_the_client_library – Antonio Ramirez Nov 30 '20 at 22:41

1 Answers1

0

You can restrict the access to a static website in Cloud Storage by creating a redirect.html like it is posted in the second answer of this question. The complete medium post is located here.

This will work considering that the authentication from the static website will be separated from the Cloud Run authentication. As it can be seen here the permissions a user has will need to be defined for every object. There you can control if a certain document can be viewed by a specific user email.

If the serving of the Cloud Storage documents needs to be dependent on the Cloud Run authentication, then creating short-lifetime signed urls is an option. This is a python sample program to create signed urls and here is the description of what a signed url does.

Antonio Ramirez
  • 943
  • 6
  • 15