I try to restrict access to Google cloud function by defining API KEY in openapi.yaml
schemes:
- https
produces:
- application/json
security:
- api_key: []
securityDefinitions:
api_key:
type: "apiKey"
name: "mot"
in: "query"
paths:
/:
get:
summary: Greet a user
operationId: hello
Deployment steps:
1. gcloud run deploy apikeytst1 --image="gcr.io/endpoints-release/endpoints-runtime-serverless:2" --allow-unauthenticated --platform managed --project=xxxx
2. gcloud endpoints services deploy apikeytst.yaml --project xxxx
3. ./gcloud_build_image -s apikeytst1-yyyyyyyyy-ew.a.run.app -c 2020-10-08r0 -p xxxx
4. gcloud run deploy apikeytst1 --image="gcr.io/xxxxx/endpoints-runtime-serverless:apikeytst1-yyyyyyyyyy-ew.a.run.app-2020-10-08r0" --allow-unauthenticated --platform managed --project=xxxx
But anyone can invoice the function without the key.
It seems like you followed the information provided by google in setting up the Swagger specification. It probably has to do something with your cloud endpoints deployment or permissions. I would advise you to go through all the cloud endpoints steps again carefully. If you correctly deployed cloud endpoints as a wrapper around your cloud function, you should not be able to invoke the cloud function directly. Instead, use the cloud endpoints endpoint with an API key as a query parameter. One crucial step is to remove the allUsers invoker permissions from your cloud function and add the following: