Hi, I’m wondering if the above diagram is something that is even possible with GCP. I’ve been able to get to the point where if the Cloud Function (3) is configured to require authentication, I get a 403 Forbidden, whereas if I turn off require authentication the call is successful.
My goal is to NOT have the Cloud Function publicly accessible.
I believe all service accounts have been granted the necessary Cloud Invoker roles. If the service accounts didn’t have the proper roles to invoke the cloud function, then I would expect it not to work even when the function was configured to not require authentication. However, there are a lot of places where the service account needs to be specified, e.g. on the GCP gateway, the gateway config file and the api - so maybe there is an option I missed?
My API Gateway (2) is configured to allow the Google ID tokens to authenticate users as described here: https://cloud.google.com/api-gateway/docs/authenticating-users-googleid
Finally, I’m using the ‘Sign In with Google For Web’ (1) as described here: https://developers.google.com/identity/gsi/web/guides/overview and using the credential returned in using the Javascript API to call the endpoint specified in the API Gateway.
Any help is appreciated!
Quick Edit: In (1), I call the API Gateway either by adding a header of Authorization: Bearer $(credential_returned_from_sign) to my HTTP call, or, to speed things while testing, I have been copy & pasting the returned credential in Postman and placing the credential in the Authorization >> Bearer Token screen with a Postman request.
Edit No. 2: I've created a small github jist with the details of how I'm calling the API Gateway from the browser as well as the config file that I'm using to configure my api gateway in this Jist: https://gist.github.com/nealgriffin/5110690d1b0fcba457cd26ab2ecb3dbf and if any of the details there are helpful, I'll update this question with those details.
I am having the exact opposite, my Cloud Function can only be called using identity token. But from my API Gateway I can go to the configured path without token and I get the same response.