I am trying to find a way to invoke a Google Cloud Function that doesn’t allow unauthenticated calls from Bubble. I don’t want to use Allow unauthenticated for security reasons. Has anyone managed to do it and could explain how he achieved it?
I tried using the following plugin :
When I make an HTTP request to my cloud function using the generated access token, I get the following response : Your client does not have permission to the requested URL.
I guess I am not using this plugin correctly. @nicholasrbarrow is this plugin supposed to work with Google Cloud Function?
Hey dylan3,
I remember struggling with this. I ended up using an API key instead of the service account. The problem is that you cannot use API keys out of the box with cloud functions. I ended up having the key checked by the function. However, you can have a more sophisticated approach with API Gateway / Cloud Endpoints if you have a more complex API (e.g. api key - Accessing Google Cloud Function via API Key - Stack Overflow).
Haven’t tried the plugin and also would like to hear if someone got it to work with service accounts.
Andrej @ anivdev.com
Have a project in mind? Feel free to reach out, no strings attached.
Check the key in the function is what I am currently doing but it doesn’t prevent someone from triggering my cloud function if he finds the url.
I will definitely try API Gateway / Cloud Endpoints.
Thank you for your answer !
Hey, you’re welcome.
Yes, of course, it will trigger, but nothing will happen. Unless you’re concerned about the cost, but that is minimal… Even gateways in simple terms, work by placing another function that is called before your function that checks the API key.
However, if you need really a secure robust/enterprise implementation, I’d definitely go for gateway/endpoints.
Andrej @ anivdev.com
Have a project in mind? Feel free to reach out, no strings attached.
Hi @dylan3 :
As far as I know, this method (the service account plugin) should work with any google cloud APIs (a quick google search of their documentation seems to confirm this: Authenticating as a service account | Authentication | Google Cloud). However, I myself have never used it to authenticate to Google Cloud APIs.
A quick way to confirm that your Bubble setup is correct is to access an easier API, such as Google Directory or Google Drive. You can try to read data from there. If you can successfully get the Service Account running with an easy API, you can at least confirm your setup is good, and then work towards Google Cloud functions.
Thank you for your answer. I did what you suggested and I can confirm that it works fine with other Google APIs.
I guess Cloud Functions are just not meant to work with access tokens
It looks like Google Cloud functions use Identity Tokens, not Bearer/Authorization Tokens (which is what the service account provides): OAuth2 authentication for a Cloud function - Stack Overflow. However, the stack reply does list a method for turning a service account file into an identity token… maybe this could help?
You are right.
The method provided in Stack Overflow works in a Python environment but I don’t know how to replicate this inside Bubble.
Thanks again for your help
It works but you need to make 3 requests before you call your Cloud Function (Create assertion / Request Bearer Token / Request Id Token) → This is super slow
It also forces you to specify your cloud function url in the Plugins > API Connector and in the WF calling your Cloud Function.
