I deployed a cloud function and I'm using a nodejs app running on an app engine to access it.
I've added the app engine default service account to my cloud function with the role 'cloud invoker'
I've added the cloud invoker role to my default service account for the app engine
The app engine and cloud function are located in the SAME project
What am I missing to be able to call my cloud function from inside my nodejs app? According to the docs, everything is fine.
p.s. giving AllUsers the cloud invoker role does actually work so the cloud function is fine, it's just the app engine service account that doesn't seem to work.
When you add the Cloud Functions Invoker role you don't add it to the service account, you add it to the receiving function
gcloud functions add-iam-policy-binding YOUR-FUNCTION-NAME \
--member=serviceAccount:SVC-ACT-NAME#PROJECT-ID.iam.gserviceaccount.com \
--role= roles/cloudfunctions.invoker \
--region=YOUR-REGION
Then when calling the Cloud Function from App Engine, you need to pass the bearer token
See this link
Related
I would like to access all my Flask routes of my Python application running in a Google App Engine only from a React-JS frontend and therefore deny all other requests which are not coming from that frontend.
Sofar I've created a Service Account (SA), enabled IAP for the target App Engine resource, assigned the IAP-secured Web App User role to that SA, so that only this SA can access my application.
Now, the missing part is how to let my frontend (in React-JS) use that SA to access the backend resources.
I'm developing a reactJS app that will run in browser. I want to make request from that app to services deployed in Google Cloud Run and Google Cloud Functions, both with authentication enabled, but I don't know how to authenticate requests.
I have a Service Account credentials with permissions to invoke those services but I cannot use default credentials due to reactJS environment variables names and I cannot use the NodeJS Google Cloud SDK.
How can I authenticate request to Cloud Functions/Cloud Run from reactJS apps outside of Google Cloud?
You have to use client side authentication mechanism. Firebase Auth works very well, and you have the Google Cloud version name Google Identity Platform.
EDIT 1
If your user aren't authenticated, you can't use authentication services. You should want to limit the access, the cost, the abuse of your Cloud Functions and Cloud Run services. For that, you need to use an API Gateway, such as Google Cloud API Gateway, or a more entreprise grade with APIGee.
You can also use a HTTPS Load Balancer in front of Cloud Functions or Cloud Run and activate Cloud Armor to prevent attacks on your service (but it's not a rate limit).
I have an app running on google cloud platform. I have access to lists of people (in my organisation) through Cloud IAM. I only want my app engine app to be accessible to some of these lists with them having to log on with their Google Account before being allowed in to the site (is this how Cloud IAM permissions work or is this single service sign-on?).
What kind of rules or roles do I need to set just to allow groups or lists to see and use an application?
In cloud IAM i see these potential roles related to app engine.
The 'App Engine Viewer' role has this description: "Ability to view App Engine app status.". Is this what I want?
You need to use Cloud IAP to limit users authentication to your AppEngine application.
Roles you mentioned (as AppEngine Viewer...) permits you to limit administration rights on your app: to only publish a new version, or only browse informations about your app deployment.
You can start easily with IAP with this good and official tutorial.
I have setup a compute engine instance for centralised maintenance and updating of App Engine Flex instances. One reason for this is to keep the database and other credentials inside the Google Project and not to store them on local development machines.
When I am trying to flex deploy with
gcloud app deploy
I get an error
ERROR: (gcloud.beta.app.deploy) Permissions error fetching application [<project here>]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.
Service account is default compute engine account and I have enabled Editor role for it in the IAM. I also tried enabling all App Engine roles but it did not change the situation.
Is there a way to make deployments from Compute Engine and if so what would be the correct credentials or am I missing some steps here?
I created a new Compute Engine Instance and tried issuing the same command as you are running. I also encountered the same issue. Here is how I've managed to resolve it.
1) Stop the instance
2) Navigate to IAM > Service Accounts > Create Service Account
3) Create a new service account and ensure you add roles for 'App Engine Admin'or 'App Engine Deployer' in addition to 'Storage Admin', 'Project Editor' and 'Cloud Container Builder Editor' to the service account. So in total you should have a minimum of 4 roles assigned to the service account, plus any other roles you think you may need for your application.
4) Edit the stopped instance (from step 1) and change the service account to the new service account you created.
When you restart the instance you should now have the correct permissions/roles to deploy your App Engine Flex App from the instance.
There was an authorisation issue because the Compute Engine default service account isn't assigned the roles required for deploying applications to App Engine flex, as various APIs are utilised in this process. By assigning the roles required for App Engine Flex deployments to a new service account, and then adding the service account to the instance, the instance then has the required authorisation to interact with other GCP APIs needed for App Engine Flex deployments.
My question is if I'm using firebase and I also need to do backend stuff, i.e. send an email to the user, register the user in my database. Then I will also need firebase's admin service account set up to verify the user. Now, can I use my own server to run admin service account or does firebase/Google force me to use Google's app engine?
The Firebase Admin SDK can be run on any server that can run the code.
For example, the Admin SDK for Node.js is just a regular node module. This means it can be run on any node environment: your own server, on App Engine Flex/GCE/GKE/etc, or on the serverless Cloud Functions for Firebase. All work equally fine.