Securing Cloud Function using Google Cloud API Gateway

Рет қаралды 25,968

Күн бұрын

This video helps you to secure unauthenticated cloud function using Google Cloud API Gateway.
Timelines:
00:00 Intro
03:10 Setting up gcloud
04:09 Enable the services using gcloud
04:44 Create cloud function
05:48 Create Service account
07:06 Create API
08:44 Create API Config
14:14 Create Gateway
16:20 Securing the cloud function using key
Official Document: cloud.google.com/api-gateway/...
Good article: t.co/wIi2IlVr0B?amp=1
----------
- Associate Cloud Engineer Study Guide: www.cloudadvocate.net/p/assoc...
- Google Cloud Playlist: • Learn Google Cloud
----------
PLEASE SUBSCRIBE ➡️bit.ly/36x6qQy ❤️
If you like my work considering buying me a COFFEE: bit.ly/3lumyqx
----------
PLAYLISTS:
- Associate Cloud Engineer Study Guide: bit.ly/37y1dYl
- Google Cloud Playlist: bit.ly/37uMZal
----------
- Questions? Thoughts? Disagreements? Tell us here in the comments.
----------
LETS CONNECT:
👍 Facebook: / multicloudguy
📸 Instagram - / multicloudguy
🐦 Twitter - / multicloudguy

Пікірлер: 78

@CloudAdvocate 3 жыл бұрын

When you try this tutorial have patience 😋 coz it takes lot of time for few commands. Take few breaks in between. And also don't please complete the assignment and comment here. BTW, I did a small mistake in the config, try it find out and comment here.

@VIKRAMSHINDE83 3 жыл бұрын

The x-google-backend address is /hello-world instead of /hello. Also, Cloud Function has been kept open to public.

@CloudAdvocate 3 жыл бұрын

@@VIKRAMSHINDE83 spot on !!!👏

@SannanTheTraveller 3 жыл бұрын

@@VIKRAMSHINDE83 i created private cloud function (allow unauthorized false) still the api gateway workes like a charm

@Atumadegroen 2 жыл бұрын

Tip for anyone wondering: In order to make the Cloud Functions URLs private but still accessible to the API Gateway you have to give the API Gateway Service Account the "Cloud Functions Invoker" permissions.

@jeffross6759 2 жыл бұрын

And also remove the "allUsers" Principal from the permissions>Principals list for the Cloud Function since it is often assigned the Cloud Functions Invoker role by default.

@jarle_m Жыл бұрын

This step is very important and should have been in the video. Leaving the Cloud Function public without any invocation restrictions is the opposite of securing it.

@itsyourraju8000 3 жыл бұрын

Thanks bro.. I have cleared my GCp associate exam...

@christianibiri 3 жыл бұрын

wow! amazing feature from GCP

@isidme 3 жыл бұрын

Thanks for the awesome tutorial :)

@anandakumarsanthinathan4740 2 жыл бұрын

Wonderful video. I learnt a lot. Google has probably done a lot of clean-up and I think we should be able to update the Config through the console too without much of a problem. By the way, do you happen to know if GCP's API Gateway will catch up with the popular Kong API Gateway in terms of functionalities such as rate-limiting, security, etc.? Thanks much.

@michaelkrison Жыл бұрын

thank you for this video.. it really helped me out. I converted all the steps in Terraform scripts and it is working fine.

@CloudAdvocate Жыл бұрын

Could you please cr8 pull request

@CloudAdvocate Жыл бұрын

Could you please cr8 pull request

@k4is3r 3 жыл бұрын

u rock bro.... awesome content .... thanks

@CloudAdvocate 3 жыл бұрын

Thank you !!

@andynelson2340 2 жыл бұрын

I learned so much from this. Thank you! I learned that yaml files are space sensitive. Yikes!

@beepboopbloopblop 2 жыл бұрын

Thanks for the great video!! Any chance you might know the answer to why this is happening: When I run curl with my api key as you have above, in terminal I get a response that says "No matches found" for that URL, but then if I copy and paste the same URL with the api key into a browser, I get the correct response from my cloud function?

@pratikbhandari5649 3 жыл бұрын

Thanks sir for the video .. request you to please make a video for api gateway with keycloak server .. thanks in Advance 😇

@jeacovyy 7 ай бұрын

Great video. Very easy to follow. Is there a way to automate updating the config file?

@yeshutrozen5491 3 жыл бұрын

Do a video on how to grab a cloud job after B.Tech ! Sir ! As many like me are interested in cloud are struck at where to start this !

@conconmc 3 жыл бұрын

Are there any good resources on how to setup custom domains with API-gateway?

@Gearmaster7 3 жыл бұрын

Any info on how to set this up with a custom domain/subdomain?

@anaghabharadwaj1653 3 жыл бұрын

How to schedule Dataflow jobs instead of cloud functions using Scheduler? Could you please guide

@m.naveenlingam6678 3 жыл бұрын

How to configure Iam authorization at both cloud function level and apigateway level. Because I enbaled jwt using service accounts at api gateway but I get 401 error because the cloud functions are iam authentication enabled any ideas on it plz comment

@wealth_developer_researcher 3 жыл бұрын

I have a doubt. Does this curl request send key as GET parameter or in Header? It would be nice if you can show for the Digest and Bearer Token handling method as well.

@CloudAdvocate 3 жыл бұрын

GET call with HEADER as key.

@sekharchandra4217 2 жыл бұрын

I am using api gateway url in my web application getting CORS error, can you have any demo video or documents plz

@SannanTheTraveller 3 жыл бұрын

how to force update existing api-config. I am deploying it using cloud build and command will get executed with every commit, and cloudbuild is failing because the same name (api-config) already exist. Is there is any alternative?

@SannanTheTraveller 3 жыл бұрын

for now i used $BUILD_ID with my api-config name, draw back is there will be huge backlog of api-configs that I need to get rid off

@VISHVESHWARSINGH 2 ай бұрын

I am able to access cloud function using API gateway and cloud function trigger URL both.But I want to block direct access of trigger URL and only want to access using API gateway .Please suggest.

@Pro3512 2 жыл бұрын

Awesome Video...While making the gloud command for creating API Gateway i am getting the error Could not open service config file [openapi2-functions.yaml]: Unable to read file [openapi2-functions.yaml]:...Where i should keep the yaml file ?

@VISHVESHWARSINGH 2 ай бұрын

I am able to access url using API gateway and cloud function trigger URL both. How we can block trigger URL access directly? Such that we can access only by API gateway URL only.

@abhishesh.sharma 3 жыл бұрын

is there a way to use oauth2 on api gateway

@RahulChoudhary-gh6wr 2 жыл бұрын

How we can connect our custom domain to the google API gateway?

@amitagrawal4660 Жыл бұрын

Will this work from outside gcp i.e. from my laptop/on-premise by just passing the api key in api gateway url?

@CloudAdvocate Жыл бұрын

Yes

@HilLiao 3 жыл бұрын

I am surprised the demo succeeded without binding service account user role to svc-account-api. Per cloud.google.com/api-gateway/docs/configure-dev-env#configuring_a_service_account, you'd need service account user role. Furthermore, you'd secure the cloud function by allowing only svc-account-api to invoke it and bind Cloud function invoker role per cloud.google.com/functions/docs/securing/managing-access-iam. Then unauthenticated calls to cloud function would return 401 making the API gateway the only route to the backend function. Taking 1 step further, if you want to use OpenID tokens to identify the callers, follow cloud.google.com/api-gateway/docs/authenticating-users-googleid or cloud.google.com/api-gateway/docs/authenticate-service-account. Inspect X-Apigateway-Api-Userinfo header in the cloud function hello code to see who's calling.

@bhawnachaudhary2884 3 жыл бұрын

I saved configuration file in the cloud sdk folder but it's showing me error ..unable to read this file..could not open service config file... can you tell me the possible reasons for this.

@CloudAdvocate 3 жыл бұрын

Could you please provide exact steps to reproduce and the error.

@bhawnachaudhary2884 3 жыл бұрын

@@CloudAdvocate thanks, issue get resolved

@sumitsinghchadha2815 2 жыл бұрын

Do you know how to create Custom subdomain for GCP API Gateway ?

@jpbitong 3 жыл бұрын

I got this Error "Your app contains exposed Google Cloud Platform (GCP) API keys" The google map is not showing on my App. I'm using Android Studio and Firebase. Please Help .

@manish7897 2 жыл бұрын

But api gateway have a maximum timeout of only 10 minutes, how to increase it if a proces takes more than 10 minutes to complete ?

@srikanthreddy1365 Жыл бұрын

Hi.. Where did you get that yaml code....

@kenboone1049 3 жыл бұрын

Useful video! I followed the full process but the gateway api doesn't block the execution of the cloud function if I don't append an api key in the url. Any idea how I can verify if the api-key is correctly setup on the gateway api?

@CloudAdvocate 3 жыл бұрын

Hello, Did you make sure you have put key section in the config?

@kenboone1049 3 жыл бұрын

@@CloudAdvocate Thx for the quick reply. Yes added, security: - api_key: [] on the path-part and also securityDefinitions at the bottom of the config file. I've updated the api_key name to the created api-key name.

@CloudAdvocate 3 жыл бұрын

@@kenboone1049 Maybe you are not using the config with the key then..did you update it properly? Did you had your old configuration without key first? Please check from console what is it using.

@kenboone1049 3 жыл бұрын

@@CloudAdvocate checked it and looks okay. I am trying the service account again since I was using my appspot serviceaccount (app engine default service account)

@kenboone1049 3 жыл бұрын

@@CloudAdvocate the service account is also ok now. But the cloud function is still not accessible via the gateway. If I grant allUsers access to the cloud function, I get the correct response of that cloud function via the gateway api. But the api key is ignored. Which service account do you connect to the cloud function?

@awanderingcat365 3 жыл бұрын

Thanks for the video. I can see that API gateway URL is secured with an API key. What happens if the cloud functions URL is leaked? How to make sure that the cloud functions URL is also secured? E.g. somebody sends a request directly to the cloud functions.

@CloudAdvocate 3 жыл бұрын

Good point, you can still do the same way by making cloud function as private or keeping unauthorized false.

@awanderingcat365 3 жыл бұрын

@@CloudAdvocate Thank you. If the authorized is false. Will the API gateway is still able to reach the cloud functions?

@CloudAdvocate 3 жыл бұрын

@@awanderingcat365 Yes, it should work.

@simpleprogrammer9552 3 жыл бұрын

I'm not done with the vid, but seems like API Gatway Admin is not the best role to give out to 3rd party dev's accessing this api, right? I assume a lesser role wrt apigateway would work... would def should. Otherwise callers my be able to use that service account to do things to the gateway config

@simpleprogrammer9552 3 жыл бұрын

I see now the keys are for the logged in user who is reviewing the API in services and apis. So how do you restrict the ability to create compatible keys?

@trackerprince6773 3 жыл бұрын

is it possible to create api keys programmatically? i.e my users allowed to create api keys and revoke them from webapp.

@CloudAdvocate 3 жыл бұрын

If you want to authenticate users, you should use JWT way of authentication.

@trackerprince6773 3 жыл бұрын

@@CloudAdvocate API keys identify the calling project - the application or site - making the call to an API. Authentication tokens identify a user - the person - that is using the app or site.

@lukerhoads 3 жыл бұрын

Hey is there any way to manage cors in the gateway yet?

@CloudAdvocate 3 жыл бұрын

I haven't seen that option yet.

@AmNotLegend Жыл бұрын

do you have a talk google cloud IAP?

@cmanna7 3 жыл бұрын

if cloud function end point link leaked then it will hack. How it secure?

@CloudAdvocate 3 жыл бұрын

Pls try with authenticated CF.

@jayanthsuvarna8244 3 жыл бұрын

When i access Cloud function API directly without which is still accessible

@CloudAdvocate 3 жыл бұрын

I would suggest to try with securing CF.

@badeonline Жыл бұрын

Thanks for the Video. Unfortunately, the Google Cloud UI/Console still has lacking features, for example, updating the gateway to use a new config. Anyway, one thing which is not clarified here is, In your video, the Cloud Function end point is still available without authentication if someone directly calls it. So, your demo only restricts if you access the cloud function via Gateway but does not restrict if you call Cloud Function end point directly. How do we restrict the cloud function by using "requires authentication" and also use a Gateway? Thanks