0

I have a serverless web application where I would like to authenticate my Identity Platform user and then allow them to upload to Cloud Storage directly from the browser. I've created a Cloud Function with some sample python code from: https://cloud.google.com/storage/docs/access-control/signing-urls-with-helpers#code-samples along with doing the verifying token portion using firebase admin library.

However, I am not able to call this Cloud Function as I'm getting a 403 error from my application. I initially thought I might be able to get around this by adding a Load Balancer but it seems I'm still getting a 403.

My organization has the Domain Restricted policy that is preventing me from allowing allUsers (my web app in this case) to invoke the function and I want to know if there is another way or if that is the preferred way.

Christopher Lang
  • 29
  • 1
  • 6
  • I don't understand your app flow. I don't understand why your web app is calling a Cloud Function to upload objects to Cloud Storage. Signed URLs are "bearer" URLs that are given to users to e.g. upload objects (to Cloud Storage); the web app should not use these. I think you may want your web app to upload objects to Cloud Storage as the delegate of your users. If so, your web app's Service Account should be permitted to upload objects and, once your web app has authenticated your user, it will perform the upload on their behalf; no signed URLs needed. – DazWilkin Oct 21 '21 at 01:08
  • Even if it's Cloud Run related (and cloud run and cloud function share the same underlying infrastructure), does it solve your issue? https://cloud.google.com/run/docs/authenticating/end-users#cicp-firebase-auth – guillaume blaquiere Oct 21 '21 at 07:59
  • @DazWilkin it is a serverless web application so the upload is directly from the browser to Cloud Storage – Christopher Lang Oct 22 '21 at 02:06
  • Serverless generally means you don't manage the underlying server but I understand your use, there's no backend web app, it's all client-side. Firebase auth, auths your users but it doesn't authenticate the users' credentials to e.g. Cloud Functions, hence the 403. You'll want to allUsers the Cloud Function so any user can access it and then it will have to check their credentials to determine whether they're authorized. Make sense? If authorized, they get a signed URL to upload their blob – DazWilkin Oct 22 '21 at 03:36
  • Yep ok, thats exactly what I was thinking but wanted to confirm because there was an org policy preventing me from making the cloud function public but that is what I need. Thank you! – Christopher Lang Oct 22 '21 at 16:01

0 Answers0