Search code examples
google-cloud-endpointsgoogle-cloud-identity

Cloud Identity and Cloud Endpoints, Is there any way to bar certain users within a role/group from making POST/GET Requests to an endpoint


For example, let's say user A needs to have GET permissions but no POST permissions to a certain endpoint. Is there any way to:

  1. Make roles where a certain user can't make certain types of requests to an endpoint?
  2. Make sure that endpoint follows those rules?

Solution

  • Regarding your first question, Cloud IAM roles are meant to control the access level of user accounts to the services and products that exist within your project. The IAM roles for Cloud Endpoints allow to restrict which users can enable your API but they don't offer such fine-grained permissions to control how users, that are indeed allowed to call, can interact with particular routes of your API.

    Now, it is possible to restrict access to particular API methods, I describe below two approaches:

    • Using Auth0 and checking user-authorization programmatically: When a user allowed to reach the endpoint makes a request it's identity is passed to the handling code under the header X-Endpoint-API-UserInfo. You might then check who's the caller in order to negate an answer. This would require some database communication to check the restricted users or the questionable naive approach of hardcoding the users. This approach is solid from security point of view since Cloud IAP would block unauthorized users to reach the API and then you can further restrict access scopes as needed. The only downside of this method is that it creates some latency. See here for documentation and links to code samples in several languages.
    • API keys: API keys provide a way of allowing/restricting access to individual methods as long as you can differentiate the endpoints routes. For instance you might allow some keys to call yourendpoint/route/method1 but restrict yourendpoint/route/method2. There are several drawbacks with this, the first is that API keys are meant to identify project/application/website/IP rather than individual users which isn't exactly what you're asking about. The second is that they're less secure than authentication and once your API key is exposed almost anybody can use it which can incur in unexpected charges to your billing account. Nonetheless I wanted to mention it for the sake of completeness as it might be useful in other situations. See here for an overview of API keys.

    Overall I would suggest using Auth0 with programmatic authentication.