When you try this tutorial have patience 😋 coz it takes lot of time for few commands. Take few breaks in between. And also don't please complete the assignment and comment here. BTW, I did a small mistake in the config, try it find out and comment here.
Tip for anyone wondering: In order to make the Cloud Functions URLs private but still accessible to the API Gateway you have to give the API Gateway Service Account the "Cloud Functions Invoker" permissions.
And also remove the "allUsers" Principal from the permissions>Principals list for the Cloud Function since it is often assigned the Cloud Functions Invoker role by default.
This step is very important and should have been in the video. Leaving the Cloud Function public without any invocation restrictions is the opposite of securing it.
I am able to access cloud function using API gateway and cloud function trigger URL both.But I want to block direct access of trigger URL and only want to access using API gateway .Please suggest.
Thanks for the great video!! Any chance you might know the answer to why this is happening: When I run curl with my api key as you have above, in terminal I get a response that says "No matches found" for that URL, but then if I copy and paste the same URL with the api key into a browser, I get the correct response from my cloud function?
Wonderful video. I learnt a lot. Google has probably done a lot of clean-up and I think we should be able to update the Config through the console too without much of a problem. By the way, do you happen to know if GCP's API Gateway will catch up with the popular Kong API Gateway in terms of functionalities such as rate-limiting, security, etc.? Thanks much.
I am able to access url using API gateway and cloud function trigger URL both. How we can block trigger URL access directly? Such that we can access only by API gateway URL only.
Awesome Video...While making the gloud command for creating API Gateway i am getting the error Could not open service config file [openapi2-functions.yaml]: Unable to read file [openapi2-functions.yaml]:...Where i should keep the yaml file ?
This cloud function is not secure. It is still reachable without the API key because you didn't lock down the cloud function with IAP. An attacker could just bypass your API key by not using the API gateway URL.
I saved configuration file in the cloud sdk folder but it's showing me error ..unable to read this file..could not open service config file... can you tell me the possible reasons for this.
I got this Error "Your app contains exposed Google Cloud Platform (GCP) API keys" The google map is not showing on my App. I'm using Android Studio and Firebase. Please Help .
I have a doubt. Does this curl request send key as GET parameter or in Header? It would be nice if you can show for the Digest and Bearer Token handling method as well.
I'm not done with the vid, but seems like API Gatway Admin is not the best role to give out to 3rd party dev's accessing this api, right? I assume a lesser role wrt apigateway would work... would def should. Otherwise callers my be able to use that service account to do things to the gateway config
I see now the keys are for the logged in user who is reviewing the API in services and apis. So how do you restrict the ability to create compatible keys?
how to force update existing api-config. I am deploying it using cloud build and command will get executed with every commit, and cloudbuild is failing because the same name (api-config) already exist. Is there is any alternative?
How to configure Iam authorization at both cloud function level and apigateway level. Because I enbaled jwt using service accounts at api gateway but I get 401 error because the cloud functions are iam authentication enabled any ideas on it plz comment
Thanks for the Video. Unfortunately, the Google Cloud UI/Console still has lacking features, for example, updating the gateway to use a new config. Anyway, one thing which is not clarified here is, In your video, the Cloud Function end point is still available without authentication if someone directly calls it. So, your demo only restricts if you access the cloud function via Gateway but does not restrict if you call Cloud Function end point directly. How do we restrict the cloud function by using "requires authentication" and also use a Gateway? Thanks
Is it possible to share the API config file from this example? I want to review syntax for adding up an auth key to secure the function. OR any online reference file
Useful video! I followed the full process but the gateway api doesn't block the execution of the cloud function if I don't append an api key in the url. Any idea how I can verify if the api-key is correctly setup on the gateway api?
@@CloudAdvocate Thx for the quick reply. Yes added, security: - api_key: [] on the path-part and also securityDefinitions at the bottom of the config file. I've updated the api_key name to the created api-key name.
@@kenboone1049 Maybe you are not using the config with the key then..did you update it properly? Did you had your old configuration without key first? Please check from console what is it using.
@@CloudAdvocate checked it and looks okay. I am trying the service account again since I was using my appspot serviceaccount (app engine default service account)
@@CloudAdvocate the service account is also ok now. But the cloud function is still not accessible via the gateway. If I grant allUsers access to the cloud function, I get the correct response of that cloud function via the gateway api. But the api key is ignored. Which service account do you connect to the cloud function?
Thanks for the video. I can see that API gateway URL is secured with an API key. What happens if the cloud functions URL is leaked? How to make sure that the cloud functions URL is also secured? E.g. somebody sends a request directly to the cloud functions.
@@CloudAdvocate API keys identify the calling project - the application or site - making the call to an API. Authentication tokens identify a user - the person - that is using the app or site.
When you publish your Http function without adding any authentication then it is also publicly accessible. So if someone has the URL of this cloud function he can access it easily. So how are you securing this without adding API getaway?
@@CloudAdvocate Actually I am looking away from which these cloud function should accessible on GCP environment not over the internet then adding an API gateway in front of cloud function make the sense for security point of view.
I am surprised the demo succeeded without binding service account user role to svc-account-api. Per cloud.google.com/api-gateway/docs/configure-dev-env#configuring_a_service_account, you'd need service account user role. Furthermore, you'd secure the cloud function by allowing only svc-account-api to invoke it and bind Cloud function invoker role per cloud.google.com/functions/docs/securing/managing-access-iam. Then unauthenticated calls to cloud function would return 401 making the API gateway the only route to the backend function. Taking 1 step further, if you want to use OpenID tokens to identify the callers, follow cloud.google.com/api-gateway/docs/authenticating-users-googleid or cloud.google.com/api-gateway/docs/authenticate-service-account. Inspect X-Apigateway-Api-Userinfo header in the cloud function hello code to see who's calling.