0

I have written a cloud function which adds some data into firestore using nodejs. In order to secure this function, I have changed the permission of this cloud function from allUsers to a service account. I would call this function from console side say on a click of a button. Now in order to authenticate it through a service account I have written another cloud function which accepts the requests coming from the console of a loggedin user with the url(sent as request body) of the actual cloud function to be called. This middleware cloud function, will internally call the actual cloud function with the help of Google client libraries. The following link contains how to authenticate a cloud function through service account. I have taken this code and put it in the middle ware cloud function

https://cloud.google.com/functions/docs/securing/authenticating#generating_tokens_programmatically

Now the problem is this Middleware cloud function will have permission set to allUsers as it is getting called from console. This defeats the purpose of using service account. I have tried changing the allUsers permission to allAuthenticatedUsers. Doing this shows the same message shown for allUsers- "Are you sure you want to make this resource public?"

Is there a way to solve this problem by changing the permissions set to that google cloud function (middle ware) or is there any work around solution or any other solution?

I have been searching for it but I am not able to find anything. Any thoughts or solutions for this problem would be appreciated!

Is there any problem with using allUsers permissions? I mean does Google (gcp) mention that it is okay?

Can we call the code from the link pasted above from console side rather than creating a cloud function on server side? But the service account json file should not be used directly.

Renee
  • 199
  • 12
  • Are your user authenticated? Do they have a Google Account (gmail, workspace, whatever)? Do you use a 3rd party IDP OAuth compliant? – guillaume blaquiere Aug 06 '23 at 17:04
  • @guillaumeblaquiere User authentication is there. I actually have both the scenarios. I have two projects, one where I am using a google account. In the second project I am using a 3rd party IDP. I am facing the same security issue with both the projects – Renee Aug 06 '23 at 17:41
  • 1
    I have IAP solution in mind, but it's not compatible with Cloud Functions, only with Cloud Run. Do you think you can change your runtime environment? It's not so hard to move from Cloud Functions to Cloud Run! – guillaume blaquiere Aug 06 '23 at 19:55
  • @guillaumeblaquiere could you please let me know about the IAP solution? It'll try to implement it if possible. – Renee Aug 06 '23 at 20:00
  • 1
    IAP is a proxy that intercept your request and let them pass only if you are authenticated and authorized. If you are not authenticate, a login page is displayed (you can even customized it https://cloud.google.com/iap/docs/create-custom-auth-ui). You can also you external IDP with IAP https://cloud.google.com/iap/docs/enable-external-identities and you can plug it in front of Cloud Run (requires a load balancer) https://cloud.google.com/iap/docs/enabling-cloud-run – guillaume blaquiere Aug 07 '23 at 07:22

0 Answers0