I have a cloud function that has restricted access by Cloud IAM. I have an external service (Auth0) that launches hooks when something happens. I want that hook to trigger my Cloud Function. However the hook should authorize itself beforehand with Cloud IAM.
What I want to do:
auth0-hooksCloud Function Invoker permissionI am currently stuck in the step of creating a new member auth0-hooks. I thought that's a trivial one but quickly figured out that there is no way to simply add a new member? I thought about creating a service-account but was unsure if a service-account can be used from outside (by requesting the access token of it via the google metaserver)?
That's where I am stuck currently
The service account is the correct way. A service account is a technical account. Like a user account, but for servers.
You can grant permissions on it. When you need to use this service account from outside GCP environment, you need to create a service account key file which contain a private key (it's a secret, keep it safe!). With this service account key file you are able to generate an identity token required by your hook to call the Cloud Functions and be authenticated and authorized.
The Google Cloud Auth libraries help you, in several languages.
Note: metadata server are only internal services on Google Cloud, not reachable externally.