When you try this tutorial have patience 😋 coz it takes lot of time for few commands. Take few breaks in between. And also don't please complete the assignment and comment here. BTW, I did a small mistake in the config, try it find out and comment here.
Tip for anyone wondering: In order to make the Cloud Functions URLs private but still accessible to the API Gateway you have to give the API Gateway Service Account the "Cloud Functions Invoker" permissions.
And also remove the "allUsers" Principal from the permissions>Principals list for the Cloud Function since it is often assigned the Cloud Functions Invoker role by default.
This step is very important and should have been in the video. Leaving the Cloud Function public without any invocation restrictions is the opposite of securing it.
I am able to access cloud function using API gateway and cloud function trigger URL both.But I want to block direct access of trigger URL and only want to access using API gateway .Please suggest.
Thanks for the great video!! Any chance you might know the answer to why this is happening: When I run curl with my api key as you have above, in terminal I get a response that says "No matches found" for that URL, but then if I copy and paste the same URL with the api key into a browser, I get the correct response from my cloud function?
I am able to access url using API gateway and cloud function trigger URL both. How we can block trigger URL access directly? Such that we can access only by API gateway URL only.
Wonderful video. I learnt a lot. Google has probably done a lot of clean-up and I think we should be able to update the Config through the console too without much of a problem. By the way, do you happen to know if GCP's API Gateway will catch up with the popular Kong API Gateway in terms of functionalities such as rate-limiting, security, etc.? Thanks much.
How to configure Iam authorization at both cloud function level and apigateway level. Because I enbaled jwt using service accounts at api gateway but I get 401 error because the cloud functions are iam authentication enabled any ideas on it plz comment
I saved configuration file in the cloud sdk folder but it's showing me error ..unable to read this file..could not open service config file... can you tell me the possible reasons for this.
Awesome Video...While making the gloud command for creating API Gateway i am getting the error Could not open service config file [openapi2-functions.yaml]: Unable to read file [openapi2-functions.yaml]:...Where i should keep the yaml file ?
I have a doubt. Does this curl request send key as GET parameter or in Header? It would be nice if you can show for the Digest and Bearer Token handling method as well.
Is it possible to share the API config file from this example? I want to review syntax for adding up an auth key to secure the function. OR any online reference file
I am surprised the demo succeeded without binding service account user role to svc-account-api. Per cloud.google.com/api-gateway/docs/configure-dev-env#configuring_a_service_account, you'd need service account user role. Furthermore, you'd secure the cloud function by allowing only svc-account-api to invoke it and bind Cloud function invoker role per cloud.google.com/functions/docs/securing/managing-access-iam. Then unauthenticated calls to cloud function would return 401 making the API gateway the only route to the backend function. Taking 1 step further, if you want to use OpenID tokens to identify the callers, follow cloud.google.com/api-gateway/docs/authenticating-users-googleid or cloud.google.com/api-gateway/docs/authenticate-service-account. Inspect X-Apigateway-Api-Userinfo header in the cloud function hello code to see who's calling.
Useful video! I followed the full process but the gateway api doesn't block the execution of the cloud function if I don't append an api key in the url. Any idea how I can verify if the api-key is correctly setup on the gateway api?
@@CloudAdvocate Thx for the quick reply. Yes added, security: - api_key: [] on the path-part and also securityDefinitions at the bottom of the config file. I've updated the api_key name to the created api-key name.
@@kenboone1049 Maybe you are not using the config with the key then..did you update it properly? Did you had your old configuration without key first? Please check from console what is it using.
@@CloudAdvocate checked it and looks okay. I am trying the service account again since I was using my appspot serviceaccount (app engine default service account)
@@CloudAdvocate the service account is also ok now. But the cloud function is still not accessible via the gateway. If I grant allUsers access to the cloud function, I get the correct response of that cloud function via the gateway api. But the api key is ignored. Which service account do you connect to the cloud function?
I got this Error "Your app contains exposed Google Cloud Platform (GCP) API keys" The google map is not showing on my App. I'm using Android Studio and Firebase. Please Help .
how to force update existing api-config. I am deploying it using cloud build and command will get executed with every commit, and cloudbuild is failing because the same name (api-config) already exist. Is there is any alternative?
Thanks for the video. I can see that API gateway URL is secured with an API key. What happens if the cloud functions URL is leaked? How to make sure that the cloud functions URL is also secured? E.g. somebody sends a request directly to the cloud functions.
@@CloudAdvocate API keys identify the calling project - the application or site - making the call to an API. Authentication tokens identify a user - the person - that is using the app or site.
I'm not done with the vid, but seems like API Gatway Admin is not the best role to give out to 3rd party dev's accessing this api, right? I assume a lesser role wrt apigateway would work... would def should. Otherwise callers my be able to use that service account to do things to the gateway config
I see now the keys are for the logged in user who is reviewing the API in services and apis. So how do you restrict the ability to create compatible keys?
When you publish your Http function without adding any authentication then it is also publicly accessible. So if someone has the URL of this cloud function he can access it easily. So how are you securing this without adding API getaway?
@@CloudAdvocate Actually I am looking away from which these cloud function should accessible on GCP environment not over the internet then adding an API gateway in front of cloud function make the sense for security point of view.
This cloud function is not secure. It is still reachable without the API key because you didn't lock down the cloud function with IAP. An attacker could just bypass your API key by not using the API gateway URL.
Thanks for the Video. Unfortunately, the Google Cloud UI/Console still has lacking features, for example, updating the gateway to use a new config. Anyway, one thing which is not clarified here is, In your video, the Cloud Function end point is still available without authentication if someone directly calls it. So, your demo only restricts if you access the cloud function via Gateway but does not restrict if you call Cloud Function end point directly. How do we restrict the cloud function by using "requires authentication" and also use a Gateway? Thanks
When you try this tutorial have patience 😋 coz it takes lot of time for few commands. Take few breaks in between. And also don't please complete the assignment and comment here. BTW, I did a small mistake in the config, try it find out and comment here.
The x-google-backend address is /hello-world instead of /hello.
Also, Cloud Function has been kept open to public.
@@VIKRAMSHINDE83 spot on !!!👏
@@VIKRAMSHINDE83 i created private cloud function (allow unauthorized false) still the api gateway workes like a charm
Tip for anyone wondering: In order to make the Cloud Functions URLs private but still accessible to the API Gateway you have to give the API Gateway Service Account the "Cloud Functions Invoker" permissions.
And also remove the "allUsers" Principal from the permissions>Principals list for the Cloud Function since it is often assigned the Cloud Functions Invoker role by default.
This step is very important and should have been in the video. Leaving the Cloud Function public without any invocation restrictions is the opposite of securing it.
Thanks bro.. I have cleared my GCp associate exam...
thank you for this video.. it really helped me out. I converted all the steps in Terraform scripts and it is working fine.
Could you please cr8 pull request
Could you please cr8 pull request
I learned so much from this. Thank you! I learned that yaml files are space sensitive. Yikes!
I am able to access cloud function using API gateway and cloud function trigger URL both.But I want to block direct access of trigger URL and only want to access using API gateway .Please suggest.
wow! amazing feature from GCP
Thanks for the great video!! Any chance you might know the answer to why this is happening: When I run curl with my api key as you have above, in terminal I get a response that says "No matches found" for that URL, but then if I copy and paste the same URL with the api key into a browser, I get the correct response from my cloud function?
Great video. Very easy to follow. Is there a way to automate updating the config file?
I am able to access url using API gateway and cloud function trigger URL both. How we can block trigger URL access directly? Such that we can access only by API gateway URL only.
Do a video on how to grab a cloud job after B.Tech ! Sir !
As many like me are interested in cloud are struck at where to start this !
I am using api gateway url in my web application getting CORS error, can you have any demo video or documents plz
Thanks sir for the video .. request you to please make a video for api gateway with keycloak server .. thanks in Advance 😇
Wonderful video. I learnt a lot. Google has probably done a lot of clean-up and I think we should be able to update the Config through the console too without much of a problem.
By the way, do you happen to know if GCP's API Gateway will catch up with the popular Kong API Gateway in terms of functionalities such as rate-limiting, security, etc.?
Thanks much.
Do you know how to create Custom subdomain for GCP API Gateway ?
How we can connect our custom domain to the google API gateway?
Thanks for the awesome tutorial :)
Hi.. Where did you get that yaml code....
How to schedule Dataflow jobs instead of cloud functions using Scheduler? Could you please guide
Are there any good resources on how to setup custom domains with API-gateway?
How to configure Iam authorization at both cloud function level and apigateway level. Because I enbaled jwt using service accounts at api gateway but I get 401 error because the cloud functions are iam authentication enabled any ideas on it plz comment
Any info on how to set this up with a custom domain/subdomain?
u rock bro.... awesome content .... thanks
Thank you !!
I saved configuration file in the cloud sdk folder but it's showing me error ..unable to read this file..could not open service config file... can you tell me the possible reasons for this.
Could you please provide exact steps to reproduce and the error.
@@CloudAdvocate thanks, issue get resolved
Awesome Video...While making the gloud command for creating API Gateway i am getting the error Could not open service config file [openapi2-functions.yaml]: Unable to read file [openapi2-functions.yaml]:...Where i should keep the yaml file ?
Will this work from outside gcp i.e. from my laptop/on-premise by just passing the api key in api gateway url?
Yes
I have a doubt. Does this curl request send key as GET parameter or in Header? It would be nice if you can show for the Digest and Bearer Token handling method as well.
GET call with HEADER as key.
Bro uses AWS Tshirt to teach GCP🤣🤣....Btw great content though🤝😀
@@tharunps8048 😀
do you have a talk google cloud IAP?
Is it possible to share the API config file from this example? I want to review syntax for adding up an auth key to secure the function. OR any online reference file
Hi Noman, the official document(link in the description) the same config file..I have used the same file.
I am surprised the demo succeeded without binding service account user role to svc-account-api. Per cloud.google.com/api-gateway/docs/configure-dev-env#configuring_a_service_account, you'd need service account user role. Furthermore, you'd secure the cloud function by allowing only svc-account-api to invoke it and bind Cloud function invoker role per cloud.google.com/functions/docs/securing/managing-access-iam. Then unauthenticated calls to cloud function would return 401 making the API gateway the only route to the backend function. Taking 1 step further, if you want to use OpenID tokens to identify the callers, follow cloud.google.com/api-gateway/docs/authenticating-users-googleid or cloud.google.com/api-gateway/docs/authenticate-service-account. Inspect X-Apigateway-Api-Userinfo header in the cloud function hello code to see who's calling.
Useful video! I followed the full process but the gateway api doesn't block the execution of the cloud function if I don't append an api key in the url. Any idea how I can verify if the api-key is correctly setup on the gateway api?
Hello, Did you make sure you have put key section in the config?
@@CloudAdvocate Thx for the quick reply. Yes added, security: - api_key: [] on the path-part and also securityDefinitions at the bottom of the config file. I've updated the api_key name to the created api-key name.
@@kenboone1049 Maybe you are not using the config with the key then..did you update it properly? Did you had your old configuration without key first? Please check from console what is it using.
@@CloudAdvocate checked it and looks okay. I am trying the service account again since I was using my appspot serviceaccount (app engine default service account)
@@CloudAdvocate the service account is also ok now. But the cloud function is still not accessible via the gateway. If I grant allUsers access to the cloud function, I get the correct response of that cloud function via the gateway api. But the api key is ignored. Which service account do you connect to the cloud function?
I got this Error "Your app contains exposed Google Cloud Platform (GCP) API keys" The google map is not showing on my App. I'm using Android Studio and Firebase. Please Help .
But api gateway have a maximum timeout of only 10 minutes, how to increase it if a proces takes more than 10 minutes to complete ?
how to force update existing api-config.
I am deploying it using cloud build and command will get executed with every commit, and cloudbuild is failing because the same name (api-config) already exist.
Is there is any alternative?
for now i used $BUILD_ID with my api-config name, draw back is there will be huge backlog of api-configs that I need to get rid off
is there a way to use oauth2 on api gateway
Thanks for the video. I can see that API gateway URL is secured with an API key. What happens if the cloud functions URL is leaked? How to make sure that the cloud functions URL is also secured? E.g. somebody sends a request directly to the cloud functions.
Good point, you can still do the same way by making cloud function as private or keeping unauthorized false.
@@CloudAdvocate Thank you. If the authorized is false. Will the API gateway is still able to reach the cloud functions?
@@awanderingcat365 Yes, it should work.
is it possible to create api keys programmatically? i.e my users allowed to create api keys and revoke them from webapp.
If you want to authenticate users, you should use JWT way of authentication.
@@CloudAdvocate
API keys identify the calling project - the application or site - making the call to an API.
Authentication tokens identify a user - the person - that is using the app or site.
I'm not done with the vid, but seems like API Gatway Admin is not the best role to give out to 3rd party dev's accessing this api, right? I assume a lesser role wrt apigateway would work... would def should. Otherwise callers my be able to use that service account to do things to the gateway config
I see now the keys are for the logged in user who is reviewing the API in services and apis. So how do you restrict the ability to create compatible keys?
When you publish your Http function without adding any authentication then it is also publicly accessible. So if someone has the URL of this cloud function he can access it easily. So how are you securing this without adding API getaway?
You are right Noman, I should have checked that option..else it won't make any sense.
@@CloudAdvocate Actually I am looking away from which these cloud function should accessible on GCP environment not over the internet then adding an API gateway in front of cloud function make the sense for security point of view.
Hey is there any way to manage cors in the gateway yet?
I haven't seen that option yet.
This cloud function is not secure. It is still reachable without the API key because you didn't lock down the cloud function with IAP.
An attacker could just bypass your API key by not using the API gateway URL.
@@krebul agreed
When i access Cloud function API directly without which is still accessible
I would suggest to try with securing CF.
Thanks for the Video. Unfortunately, the Google Cloud UI/Console still has lacking features, for example, updating the gateway to use a new config.
Anyway, one thing which is not clarified here is, In your video, the Cloud Function end point is still available without authentication if someone directly calls it. So, your demo only restricts if you access the cloud function via Gateway but does not restrict if you call Cloud Function end point directly.
How do we restrict the cloud function by using "requires authentication" and also use a Gateway?
Thanks
if cloud function end point link leaked then it will hack. How it secure?
Pls try with authenticated CF.
swagger doc? it`s OpenAPI since a long time now.
Yes but GCP uses swagger v2.0. It became openapi at v3.
Can I pay you to teach me the basics to create an address verification on my Google Platform?
Could you please send more details to my email.
that's not security.... you can still curl the original CF http ahahah