I want to access Youtube Content Owner API with Google Cloud Functions. For that the service account used by GCF has to have access to that API.
When I create a Google Cloud Function, it's automatically assigned a service account. In this case the "App Engine default service account". I have a few questions about this.
Does Google Cloud Function always use "App Engine default service account" as the service account?
While editing the cloud function, I cannot see any way to change a service account of a Google Cloud Function. Once it is set up for a Cloud Function, the service account can not be changed, right?
If the default service account is given access to Youtube Content Owner API then Google Cloud Functions will have it, too?
Yes, Cloud Functions use the App Engine default service account, as explained here.
Indeed there is no such option yet. There is a public Feature Request opened for this if you are interested.
True, Cloud Function will inherit all the access right from the default service account.
Alternatively, to use credentials with Cloud Functions other then the App Engine Default service account you could:
use an authentication token
upload a non-default service account directly with your Cloud Function and use it from with in it as described here
Related
As seen below I am editing the permissions for access to my Cloud Function called task. I am following the advice from GCP that says the following:
This resource is public and can be accessed by anyone on the internet.
To remove public access, remove "allUsers" and "allAuthenticatedUsers"
from the resource's members.
so that my function can only be called from my GCP. So I removed the allUsers access for the Cloud Functions Invoker role. But now I am trying to add a new member (service account) with the Cloud Functions Invoker role:
However I don't know what service account my Cloud Tasks are fired from. I've created a new service account with only Cloud Tasks permissions but I don't know how to actually make my Cloud Tasks use this service account when executing. There doens't seem to be an option for that:
Any idea?
According to the Google docs, "Cloud Tasks can call HTTP Target handlers that require authentication if you have a service account with the appropriate credentials to access the handler."
You may need to create a service account and give the appropriate roles to it.
Please follow the official Google documentation [1] where the steps to follow are detailed.
[1] - https://cloud.google.com/tasks/docs/creating-http-target-tasks#sa
I have a cloud function that has restricted access by Cloud IAM. I have an external service (Auth0) that launches hooks when something happens. I want that hook to trigger my Cloud Function. However the hook should authorize itself beforehand with Cloud IAM.
What I want to do:
Create a new member auth0-hooks
Give that member the Cloud Function Invoker permission
In the hook's code I want to fetch a IAM token from Google (metaserver?)
Use that token within the request to the Cloud Function trigger URL
Trigger access through Cloud IAM and the given token
I am currently stuck in the step of creating a new member auth0-hooks. I thought that's a trivial one but quickly figured out that there is no way to simply add a new member? I thought about creating a service-account but was unsure if a service-account can be used from outside (by requesting the access token of it via the google metaserver)?
That's where I am stuck currently
The service account is the correct way. A service account is a technical account. Like a user account, but for servers.
You can grant permissions on it. When you need to use this service account from outside GCP environment, you need to create a service account key file which contain a private key (it's a secret, keep it safe!). With this service account key file you are able to generate an identity token required by your hook to call the Cloud Functions and be authenticated and authorized.
The Google Cloud Auth libraries help you, in several languages.
Note: metadata server are only internal services on Google Cloud, not reachable externally.
I've read much documentation but all of them require me to oauth2 tokens or set environment variables to a json file that contains my credentials... That's nice when I run this locally, but how would I run this in the cloud? Such as firebase functions?
There is an example to cap billing on the public docs. Notice that you'll need to assign the Billing Account Administrator role to the runtime service account (generally the App Engine's default service account, but you can change that) for your Cloud Functions for it to work. As using the client libraries will handle the authentication and authorization automatically based on the permissions assigned to that particular service account.
I'm deploying a Cloud Function which interacts with Google Drive. As far as I can tell, there's no way to use the implicit Cloud Function credentials or related environment variables to authorize with Drive, so I've had to resort to either including the credentials.json service account key file in the Cloud Function bundle or by setting an environment variable using that same key file during deployment of the Cloud Function.
It'd seem to me that you would be able to use the Cloud Function's implicit service account and credentials in order to achieve this.
You can specify a identity service account on Cloud Function. By the way, instead to use the default compute service account, you can use this one that you want.
Then you can share a document, or a shared drive with the service account email. By the way, the service account of the function will have access to this drive element.
However, it's not enough. When you will perform the request to the Google Drive API, you have to provide an authentication token in the header of the request. You can find here how to request the Cloud Function metadata server to get this token and then reuse it to your Google Drive API call.
I have a Google Cloud Platform service account with domain-wide authority. I can add it to a Google Analytics API call from my terminal and it works correctly. However, I would like to run that same script as a Google Cloud Function and reference the service account in GCP without including the client_secret_service_account.json file (like below) in the repository or anywhere outside of GCP. Is that possible?
KEY_FILE_LOCATION = 'client_secret_service_account.json'
You can now reference the service account when deploying Cloud Functions. Check documentation for gcloud.
When using GCP console, expand "Advanced options" to inform the service account