Search code examples
firebase-authenticationgoogle-cloud-runfirebase-hosting

Cloud run: restrict traffic from firebase hosting?

I'm building an app with React as front end and hosted on firebase hosting.

I'd like to build an api server for the front, and considering Fastapi + Docker deploy to Cloud Run.

https://firebase.google.com/docs/hosting/cloud-run#direct_requests_to_container https://cloud.google.com/run/docs/integrate/firebase-hosting

I found these 2 tutorials about how to connect firebase hosting to cloud run, but I'd like the Cloud Run to only accept accesses from firebase hosting app.

Is there any way to achieve this?

===== update ============================================

I read from https://cloud.google.com/run/pricing that

Requests are only billed when they reach the container after successfully being authenticated, requests denied by IAM policy are not billed.

And under that link in the quote, there's a document about how to Authenticating end users https://cloud.google.com/run/docs/authenticating/end-users and a detailed tutorial https://cloud.google.com/run/docs/tutorials/identity-platform

Using Firebase Authentication is similar to using Identity Platform.

I'm a little confused about the authenticating.

Does it mean I can:

  1. auth the user with firebase authentication
  2. get an idToken and put it in header
  3. at cloud run api server, check the token
    1. if no token or invalid token, return 401 or 403, request is NOT billed
    2. if valid token, process, request is billed

Is that right?

Solution

  • I have the same issue and I used firebase APP CHECK.

    App Check helps protect your API resources from abuse by preventing unauthorized clients from accessing your backend resources. It works with both Google services (including Firebase and Google Cloud services) and your own APIs to keep your resources safe.

    Steps: