Is there a way to create firewall rules for my Google Cloud Functions HTTP endpoints?

前端 未结 1 1677
别那么骄傲
别那么骄傲 2021-01-07 05:46

Just wanted to check if this is in the roadmap of already available and I have just missed these. While building my Functions for an important project, I want to apply some

相关标签:
1条回答
  • 2021-01-07 06:28

    More than firewall rules what you should be looking at is to authenticate your requests to your Cloud Functions with Access Tokens.

    Here there is a good example on how to do this.

    Basically you will be creating an HTTP triggered Cloud Function.

    First create a bucket, mine is called auth-123 .Then drop to a Cloud shell and define the project name and the bucket as environment variables:

    jordim@yrmv-191108:~$ export BUCKET=auth-123
    jordim@yrmv-191108:~$ export PROJECT=yrmv-191108
    

    Create a couple of service accounts

    jordim@yrmv-191108:~$ gcloud iam service-accounts create alpha-account --
    display-name "Account 1"
    jordim@yrmv-191108:~$ gcloud iam service-accounts create beta-account --display-name "Account 2"
    Created service account [beta-account].
    

    Now to create the function! On a folder on your cloud shell create first a package.json with the dependencies:

    jordim@yrmv-191108:~/cloudfunction$ cat > package.json
    {
      "dependencies": {
        "googleapis": "21.2"
      }
    }
    

    And now the function itself:

    const Google = require('googleapis');
    const BUCKET = 'auth-123'; // Replace with name of your bucket
    
    /**
     * Cloud Function.
     *
     * @param {Object} req Cloud Function request context.
     * @param {Object} res Cloud Function response context.
     */
    exports.secureFunction = function secureFunction(req, res) {
        var accessToken = getAccessToken(req.get('Authorization'));
        var oauth = new Google.auth.OAuth2();
        oauth.setCredentials({access_token: accessToken});
    
        var permission = 'storage.buckets.get';
        var gcs = Google.storage('v1');
        gcs.buckets.testIamPermissions(
            {bucket: BUCKET, permissions: [permission], auth: oauth}, {},
            function (err, response) {
                if (response && response['permissions'] && response['permissions'].includes(permission)) {
                    authorized(res);
                } else {
                    res.status(403).send("The request is forbidden.");
                }
            });
    
    
    
    function authorized(res) {
                res.send("The request was successfully authorized.");
                // The code to execute goes here! :)
    }
    }
    
    
    function getAccessToken(header) {
        if (header) {
            var match = header.match(/^Bearer\s+([^\s]+)$/); //We are looking for an HTTP request with the content Bearer: + a token
            if (match) {
                return match[1];
            }
        }
    
        return null;
    }
    

    In this case we are checking that the account launching the request has the permission storage.buckets.get, but it can be changed to any other just by changing the the variable permission.

    Then you deploy the function:

    jordim@yrmv-191108:~/cloudfunction$ gcloud beta  functions deploy secureFunction --stage-bucket $BUCKET --trigger-http
    

    Now you have a cloud function that only triggers its content if it receives a request from an authorized account. Let's make tokens for the accounts we created before:

       jordim@yrmv-191108:~/cloudfunction$ gcloud iam service-accounts keys create --iam-account alpha-account@$PROJECT.iam.gserviceaccount.com ./alpha-account.json
        jordim@yrmv-191108:~/cloudfunction$ export ALPHA_ACCOUNT_TOKEN=$(GOOGLE_APPLICATION_CREDENTIALS=./alpha-account.json gcloud auth application-default print-access-token)
    
    
    jordim@yrmv-191108:~/cloudfunction$ gcloud iam service-accounts keys create --iam-account beta-account@$PROJECT.iam.gserviceaccount.com ./beta-account.json
    created key [4a9251d7611e74da8b4565657b52b7c940606630] of type [json] as [./beta-account.json] for [beta-account@yrmv-191108.iam.gserviceaccount.com]
    jordim@yrmv-191108:~/cloudfunction$ export BETA_ACCOUNT_TOKEN=$(GOOGLE_APPLICATION_CREDENTIALS=./beta-account.json gcloud auth application-default print-access-token)
    

    We have the auth tokens on a json now and also exported them as an env var for easy testing. Let's give permission to ALPHA user and not give it to BETA user:

    jordim@yrmv-191108:~/cloudfunction$ gsutil acl ch -u alpha-account@$PROJECT.iam.gserviceaccount.com:R gs://auth-123
    

    And now to test:

    jordim@yrmv-191108:~/cloudfunction$ curl https://us-central1-yrmv-191108.cloudfunctions.net/secureFunction -H "Authorization: Bearer $ALPHA_ACCOUNT_TOKEN"
    The request was successfully authorized.
    
    jordim@yrmv-191108:~/cloudfunction$ curl https://us-central1-yrmv-191108.cloudfunctions.net/secureFunction -H "Authorization: Bearer $BETA_ACCOUNT_TOKEN"
    The request is forbidden
    

    You can apply this logic to any of your cloud functions, and unless the request comes with a valid token on its header the amount of resources used for rejecting it is minimal.

    0 讨论(0)
提交回复
热议问题