Securing Cloud Function using Google Cloud API Gateway
HTML-код
- Опубликовано: 4 авг 2024
- This video helps you to secure unauthenticated cloud function using Google Cloud API Gateway.
Timelines:
00:00 Intro
03:10 Setting up gcloud
04:09 Enable the services using gcloud
04:44 Create cloud function
05:48 Create Service account
07:06 Create API
08:44 Create API Config
14:14 Create Gateway
16:20 Securing the cloud function using key
Official Document: cloud.google.com/api-gateway/...
Good article: t.co/wIi2IlVr0B?amp=1
----------
- Associate Cloud Engineer Study Guide: www.cloudadvocate.net/p/assoc...
- Google Cloud Playlist: • Learn Google Cloud
----------
PLEASE SUBSCRIBE ➡️bit.ly/36x6qQy ❤️
If you like my work considering buying me a COFFEE: bit.ly/3lumyqx
----------
PLAYLISTS:
- Associate Cloud Engineer Study Guide: bit.ly/37y1dYl
- Google Cloud Playlist: bit.ly/37uMZal
----------
- Questions? Thoughts? Disagreements? Tell us here in the comments.
----------
LETS CONNECT:
👍 Facebook: / multicloudguy
📸 Instagram - / multicloudguy
🐦 Twitter - / multicloudguy 
Наука
When you try this tutorial have patience 😋 coz it takes lot of time for few commands. Take few breaks in between. And also don't please complete the assignment and comment here. BTW, I did a small mistake in the config, try it find out and comment here.
The x-google-backend address is /hello-world instead of /hello.
Also, Cloud Function has been kept open to public.
@@VIKRAMSHINDE83 spot on !!!👏
@@VIKRAMSHINDE83 i created private cloud function (allow unauthorized false) still the api gateway workes like a charm
Thanks bro.. I have cleared my GCp associate exam...
Tip for anyone wondering: In order to make the Cloud Functions URLs private but still accessible to the API Gateway you have to give the API Gateway Service Account the "Cloud Functions Invoker" permissions.
And also remove the "allUsers" Principal from the permissions>Principals list for the Cloud Function since it is often assigned the Cloud Functions Invoker role by default.
This step is very important and should have been in the video. Leaving the Cloud Function public without any invocation restrictions is the opposite of securing it.
wow! amazing feature from GCP
Thanks for the awesome tutorial :)
I learned so much from this. Thank you! I learned that yaml files are space sensitive. Yikes!
Wonderful video. I learnt a lot. Google has probably done a lot of clean-up and I think we should be able to update the Config through the console too without much of a problem.
By the way, do you happen to know if GCP's API Gateway will catch up with the popular Kong API Gateway in terms of functionalities such as rate-limiting, security, etc.?
Thanks much.
Thanks for the great video!! Any chance you might know the answer to why this is happening: When I run curl with my api key as you have above, in terminal I get a response that says "No matches found" for that URL, but then if I copy and paste the same URL with the api key into a browser, I get the correct response from my cloud function?
u rock bro.... awesome content .... thanks
Thank you !!
thank you for this video.. it really helped me out. I converted all the steps in Terraform scripts and it is working fine.
Could you please cr8 pull request
Could you please cr8 pull request
Are there any good resources on how to setup custom domains with API-gateway?
How to configure Iam authorization at both cloud function level and apigateway level. Because I enbaled jwt using service accounts at api gateway but I get 401 error because the cloud functions are iam authentication enabled any ideas on it plz comment
Any info on how to set this up with a custom domain/subdomain?
How to schedule Dataflow jobs instead of cloud functions using Scheduler? Could you please guide
Thanks sir for the video .. request you to please make a video for api gateway with keycloak server .. thanks in Advance 😇
I have a doubt. Does this curl request send key as GET parameter or in Header? It would be nice if you can show for the Digest and Bearer Token handling method as well.
GET call with HEADER as key.
I am using api gateway url in my web application getting CORS error, can you have any demo video or documents plz
how to force update existing api-config.
I am deploying it using cloud build and command will get executed with every commit, and cloudbuild is failing because the same name (api-config) already exist.
Is there is any alternative?
for now i used $BUILD_ID with my api-config name, draw back is there will be huge backlog of api-configs that I need to get rid off
is there a way to use oauth2 on api gateway
I am able to access cloud function using API gateway and cloud function trigger URL both.But I want to block direct access of trigger URL and only want to access using API gateway .Please suggest.
I am able to access url using API gateway and cloud function trigger URL both. How we can block trigger URL access directly? Such that we can access only by API gateway URL only.
Great video. Very easy to follow. Is there a way to automate updating the config file?
Do you know how to create Custom subdomain for GCP API Gateway ?
How we can connect our custom domain to the google API gateway?
Awesome Video...While making the gloud command for creating API Gateway i am getting the error Could not open service config file [openapi2-functions.yaml]: Unable to read file [openapi2-functions.yaml]:...Where i should keep the yaml file ?
I got this Error "Your app contains exposed Google Cloud Platform (GCP) API keys" The google map is not showing on my App. I'm using Android Studio and Firebase. Please Help .
Hi.. Where did you get that yaml code....
Will this work from outside gcp i.e. from my laptop/on-premise by just passing the api key in api gateway url?
Yes
I saved configuration file in the cloud sdk folder but it's showing me error ..unable to read this file..could not open service config file... can you tell me the possible reasons for this.
Could you please provide exact steps to reproduce and the error.
@@CloudAdvocate thanks, issue get resolved
do you have a talk google cloud IAP?
Do a video on how to grab a cloud job after B.Tech ! Sir !
As many like me are interested in cloud are struck at where to start this !
is it possible to create api keys programmatically? i.e my users allowed to create api keys and revoke them from webapp.
If you want to authenticate users, you should use JWT way of authentication.
@@CloudAdvocate
API keys identify the calling project - the application or site - making the call to an API.
Authentication tokens identify a user - the person - that is using the app or site.
But api gateway have a maximum timeout of only 10 minutes, how to increase it if a proces takes more than 10 minutes to complete ?
Hey is there any way to manage cors in the gateway yet?
I haven't seen that option yet.
I'm not done with the vid, but seems like API Gatway Admin is not the best role to give out to 3rd party dev's accessing this api, right? I assume a lesser role wrt apigateway would work... would def should. Otherwise callers my be able to use that service account to do things to the gateway config
I see now the keys are for the logged in user who is reviewing the API in services and apis. So how do you restrict the ability to create compatible keys?
Thanks for the video. I can see that API gateway URL is secured with an API key. What happens if the cloud functions URL is leaked? How to make sure that the cloud functions URL is also secured? E.g. somebody sends a request directly to the cloud functions.
Good point, you can still do the same way by making cloud function as private or keeping unauthorized false.
@@CloudAdvocate Thank you. If the authorized is false. Will the API gateway is still able to reach the cloud functions?
@@awanderingcat365 Yes, it should work.
Useful video! I followed the full process but the gateway api doesn't block the execution of the cloud function if I don't append an api key in the url. Any idea how I can verify if the api-key is correctly setup on the gateway api?
Hello, Did you make sure you have put key section in the config?
@@CloudAdvocate Thx for the quick reply. Yes added, security: - api_key: [] on the path-part and also securityDefinitions at the bottom of the config file. I've updated the api_key name to the created api-key name.
@@kenboone1049 Maybe you are not using the config with the key then..did you update it properly? Did you had your old configuration without key first? Please check from console what is it using.
@@CloudAdvocate checked it and looks okay. I am trying the service account again since I was using my appspot serviceaccount (app engine default service account)
@@CloudAdvocate the service account is also ok now. But the cloud function is still not accessible via the gateway. If I grant allUsers access to the cloud function, I get the correct response of that cloud function via the gateway api. But the api key is ignored. Which service account do you connect to the cloud function?
if cloud function end point link leaked then it will hack. How it secure?
Pls try with authenticated CF.
I am surprised the demo succeeded without binding service account user role to svc-account-api. Per cloud.google.com/api-gateway/docs/configure-dev-env#configuring_a_service_account, you'd need service account user role. Furthermore, you'd secure the cloud function by allowing only svc-account-api to invoke it and bind Cloud function invoker role per cloud.google.com/functions/docs/securing/managing-access-iam. Then unauthenticated calls to cloud function would return 401 making the API gateway the only route to the backend function. Taking 1 step further, if you want to use OpenID tokens to identify the callers, follow cloud.google.com/api-gateway/docs/authenticating-users-googleid or cloud.google.com/api-gateway/docs/authenticate-service-account. Inspect X-Apigateway-Api-Userinfo header in the cloud function hello code to see who's calling.
When i access Cloud function API directly without which is still accessible
I would suggest to try with securing CF.
Thanks for the Video. Unfortunately, the Google Cloud UI/Console still has lacking features, for example, updating the gateway to use a new config.
Anyway, one thing which is not clarified here is, In your video, the Cloud Function end point is still available without authentication if someone directly calls it. So, your demo only restricts if you access the cloud function via Gateway but does not restrict if you call Cloud Function end point directly.
How do we restrict the cloud function by using "requires authentication" and also use a Gateway?
Thanks
Can I pay you to teach me the basics to create an address verification on my Google Platform?
Could you please send more details to my email.
swagger doc? it`s OpenAPI since a long time now.
Yes but GCP uses swagger v2.0. It became openapi at v3.
Bro uses AWS Tshirt to teach GCP🤣🤣....Btw great content though🤝😀
@@tharunps8048 😀
that's not security.... you can still curl the original CF http ahahah