Search code examples
firebasegoogle-app-enginegoogle-cloud-functionsservice-accounts

Access Google App Engine endpoint from Firebase cloud function

I have a firebase cloud function which gets triggered when there is a change in firebase realtime database. In the cloud function I want to hit my app engine endpoint. The app engine endpoint is configured with security constraint of "admin" only access. (Note: the endpoint is deployed in a different app engine project than my firebase cloud function project. Both the projects are deployed in same google cloud account)

I tried to get the application default credential from the cloud function and used it in the HTTP request to the endpoint but it is getting re-directed to the sign-in page.

What is the role of the application default credential of firebase cloud function? Are there alternate ways of achieving this?

Firebase cloud function:

const gal = require('google-auth-library');

exports.makeUppercase = functions.database.ref('/{deviceId}/status')
.onWrite(event => {

      const auth = new gal.GoogleAuth();

      try {         
        auth.getApplicationDefault().then(
            function(res) {
                let client = res.credential;

                if (client.createScopedRequired && client.createScopedRequired()) {         
                    const scopes = ['https://www.googleapis.com/auth/cloud-platform'];
                    client = client.createScoped(scopes);
                }
                console.log(client);

                const url = 'https://my-secure-service-dot-my-project.appspot.com/secureEndPoint';
                client.request({url}).then(
                    function(response) { 
                        console.log(response.data);
                    }
                ).catch(err => {
                    console.error(err);
                    return err; 
                  });                       
            }
        ).catch(err => {
                    console.error(err);
                    return err; 
                  });
    } catch (e) {
        console.error(e);
    } 
});

EDIT: I deployed the endpoint in the same project as the cloud function project. Still the endpoint access fails

EDIT: Below is the web.xml portion where the security constraints are specified for the end point:

	<security-constraint>
        <web-resource-collection>
            <web-resource-name>all</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

Solution

  • Here are two working examples for accessing a protected GAE endpoint by using Identity Aware Proxy(IAP). Notice: IAP will restrict access to the entire application rather then to specific handlers as with login: admin.

    According to app.yaml reference for standard login: admin is a medium for a real user to connect to an endpoint using a browser.