I have a Google Cloud project which has the following resources:
- App Engine Standard Environment, which hosts the frontend (basically react-app).
- A private Google Cloud function
Now, I though of the following scenarios to call the function from the react-app
- Set
Allow only internal traffic
to Cloud function: Only App Engineflexible environments
can call the function, so ruled out - Authentication using
CORS
: The clients can still call the function. - making the cloud function
public
: Would let everyone invoke the function, which is not recommended for private API - Invoking function using
Google Cloud API
: This would expose my Google Cloud API keys in the frontend.
So is there a work around to call a Cloud function from an App Engine Standard environment
CodePudding user response:
You can't call a Cloud Functions (or Cloud Run) with ingress = internal only with App Engine. See my answer here
To secure your cloud functions, you can rely on the IAM service. If your App Engine service call your cloud functions (I mean you have backend code that run on App Engine, not static JS file that run in the user browser), you can grant only the App Engine service account (you can now customize the service account to run with your App Engine service) the permission to call your cloud function.
Of course, your cloud functions is publicly exposed but only the authenticated and authorised traffic will be routed to your Cloud Functions. All the bad traffic (from internet or from other unauthorised services) will be rejected automatically by GFE (Google Front End) and before invoking your Cloud Functions. Therefore you will pay only for the valid traffic, all the bad traffic is discarded by google.
If the code runs on the user browser (because your App Engine serves only static files), you can use a proxy layer to add security filtering, like API Gateway.You can have a look to this answer