Search code examples
google-cloud-platformgoogle-cloud-functionsgoogle-cloud-storagegoogle-cloud-iam

Google Cloud IAM: website hosted in Cloud Storage to trigger Cloud Function (Gen 2)

I'm working inside Google Cloud, completely inside single project. My current issue is associated with corrected access rights only.

I've developed a simple website hosted on Cloud Storage and having a public access with a link like https://<name_of_bucket>.storage.googleapis.com/ This site has a js script which makes an API call (POST/GET/OPTIONS) to Cloud Function (Gen 2, Python 10) which sends the response back to js. CORS enabled. Everything works fine when I set public permissions:

  1. for this Cloud Function "allUsers":"Cloud Function Invoker"
  2. for Cloud Run service (associated with this Gen2 function) "allUsers":"Cloud Run Invoker".

I'm trying to get rid of "allUsers" and let invoke the Gen2 function only by the website hosted in Google Storage Bucket.

Could you please suggest a right combination of access rights to enable the mentioned access without public access to Cloud Function? Thank you

All my attempts leads to 403 response once I substitute "allUsers" with any of the following (for both Cloud Functions Invoker / Cloud Run Invoker): 0. project level Service Accounts like @<project_name>.iam.gserviceaccount.com

  1. project level Service Account like <project_id>@cloudservices.gserviceaccount.com
  2. Storage SA like service-<project_id>@gs-project-accounts.iam.gserviceaccount.com
  3. app engine SA like <project_name>@appspot.gserviceaccount.com
  4. allAuthentificatedUsers
  5. a custom SA for a specific bucket
Solution

  • TL;DR: You can't call a private backend from Cloud Storage serving

    Why? Because Cloud Storage is only a file server: it serve static website files. That's all.

    Then, the file are interpreted and ran on your browser. Whatever the thing you do, it's YOUR browser that perform the action, NEVER Cloud Storage.

    By the way, you can't say "Cloud Storage reach Cloud Run/Functions", it's wrong.

    However, you have solutions:

    • Create a first backend in public mode to check the authentication of the user and then calls privately the dedicated backed to achieve the action
    • Use IAP in front of Cloud Run or App Engine to secure the access. IAP ensure the authentication check and the login page. You can use IAP with Google Accounts but also with third party IDP.