I have a GCP Cloud Function in a web app. I initially ran this by requiring authentication through a service account. I ran my app locally by authenticating with my service account's json file credentials. I will soon by deploying this app to a third party VPS server. I don't want to upload my service account credentials to a third party VPS so I set up an API Gateway. This works without requiring my credentials. My config file for the API Gateway looks like this:
swagger: '2.0'
info:
title: api-gateway
description: API Gateway
version: 1.0.0
schemes:
- https
produces:
- application/json
paths:
/v1/hello:
get:
summary: Hi Service
operationId: hello-v1
x-google-backend:
address: <CLOUD_RUN_URL>
responses:
'200':
description: OK
I just run curl https://{gatewayId}-{hash}.{region_code}.gateway.dev/v1/hello with my correct values replacing the placeholders and my cloud function actually ran without requiring any credentials.
At first I was glad that it worked, but then it occurred to me that I'm just trading 1 vulnerability with another. I can now call a function without authenticating lol. So is there at least a way to only allow my cloud function to be called through my api url when it is accessed from a particular caller domain. That way only my VPS could call the function through this link? I don't want to do this with a cors policy in my function because the function would technically still run and therefore run up my GCP bill.