Authentication in HTTP Google Cloud Functions
For using Cloud Functions you need to put your modules in buckets. Granting the account ‘storage.buckets.get’ permission to the bucket, you grant authorization to the service account to trigger your HTTP Cloud Function; and similarly, you revoke authorization by removing ‘storage.buckets.get’ permission from another service account.
To set up the ‘storage.buckets.get’ permission you need to either select “Storage Admin” through the standard roles or ‘storage.legacyBucketReader'/’storage.legacyBucketWriter’ from legacy roles or even define a custom role with ‘storage.buckets.get’ permission.
The solution proposed in the link you brought here is indeed one of the ways. In fact, you can use any other Google Cloud Platform product (not only Storage buckets) to check the chosen account's permissions to it.
An alternative that can work is:
- Prepare a Cloud Function that will have the authorized users' emails listed.
- Cloud Function retrieves the
'Authorization'
header of the incoming HTTP request that contains the token generated for the account that made the request. - The function calls the tokeninfo endpoint using the mentioned header to retrieve email of the account (from the JSON response body). The url returning the email will look like this:
url = "https://www.googleapis.com/oauth2/v1/tokeninfo?fields=email&access_token
=" + token_from_the_request_header;
- Verifying that the returned email is in the list of authorized ones.
- ... if yes, executing the function's logic.