How to add Authenticated cloud function behind GCP api gateway having firebase auth

Question

My setup is like

API lib built on top of API gateway endpoints => gateway authenticates requests against firebase users => Call Cloud function for an endpoints.

This seems to be working fine.

Only concern is security/authentication of cloud function. How to achieve.

No one should be able to call cloud function directly
OR Cloud function should accept traffic only from API gateway.

Current settings are :

If i change allow internal traffic only then API gives a Not allowed error.

score 1 · Answer 1 · answered Dec 26 '22 at 21:10

Partial ans is here: I figured out that i was not setting correct jwt_audience thats where it was throwing "Your client does not have permission to the requested URL": 401.

because my function URL was not same as what i mentioned in OpenApi spec. I had postfix to my URL, hence my request were failing.

earlier :

    options:
      x-google-backend:
         address: https://**-**-**-test.cloudfunctions.net/<funtion_name>/filter

Now:

    options:
       x-google-backend:
         address: https://*-**-**-test.cloudfunctions.net/<funtion_name>/filter
         jwt_audience: https://**-**-**-test.cloudfunctions.net/<funtion_name>

I tried to set setting "allow internal traffic only" but its failing with 403. Still i am not sure if i can set internal only traffic for cloud function along with API gateway.

How to add Authenticated cloud function behind GCP api gateway having firebase auth

1 Answers1