Secure Google Cloud Functions with API Gateway

Create an interface to protect your resources

Photo by Sara Julie on Unsplash — This glass probably need an API Gateway

In my previous article, I give security advice for full-stack beginners. I talk about many aspects to be considered when deploying a backend online. One of them (and I insist!!) concerns the importance of having an API Gateway protecting public routes.

I will show how to easily set up a gateway that will protect and monitor Google Cloud Functions.

In a second article, I am explaining how to add an API key to the gateway and how to rate limit its usage.

Intro

In this tutorial and the following one, I will show how to create two Google Cloud Functions (GET and POST) and set up a secured and monitorable API using API Gateway.

API Gateway gives a lot of flexibility about how we deploy and how we scale our different services. It give an interface that have access to all resources of our API. It provides an API console, hosting, logging, monitoring and other features to help us to create, share, maintain and secure APIs.

To get started, we only need an Open API specification that define each of the resources of our API.

Let’s say we are building an API for a smoothies bar. It will have two routes : GET /listSmoothies and POST /orderSmoothies to respectively get all the available smoothies and order a smoothie.

Not to mention that our smoothies are made with local, seasonal and organic fruits.

Prerequisite

This tutorial assumes you have :

Create Google Cloud Functions

Create two folders : listSmoothies and orderSmoothie and create empty files main.py and requirements.txt :

mkdir listSmoothies
mkdir orderSmoothie
touch listSmoothies/main.py
touch orderSmoothie/main.py
touch listSmoothies/requirements.txt
touch orderSmoothie/requirements.txt

List Smoothies

In /listSmoothies/requirements.txt add this line and save :

flask==1.1.2

In /listSmoothies/main.py, paste this code :

In /listSmoothies folder, run this command to deploy the function in private mode :

gcloud functions deploy listSmoothies --region=europe-west2 --trigger-http --entry-point listSmoothies --runtime python38 --no-allow-unauthenticated

Deployment takes up to 2 minutes.

Once deployed, call the function using the URL given after the command finished :

https://europe-west2-YOUR-PROJECT.cloudfunctions.net/listSmoothies

We get this result :

We’re done for listSmoothie.

Order Smoothie

In /orderSmoothie/requirements.txt add this line and save :

flask==1.1.2

In /orderSmoothie/main.py, paste this code :

In /orderSmoothie folder, run this command to deploy the function in private mode :

gcloud functions deploy orderSmoothies --region=europe-west2 --trigger-http --entry-point orderSmoothies --runtime python38 --no-allow-unauthenticated

Deployment takes up to 2 minutes.

Once deployed, call the function using Postman and the URL given after the command finished :

https://europe-west2-YOUR-PROJECT.cloudfunctions.net/orderSmoothies

We get this result :

We are done for orderSmoothie.

Our functions can’t be accessed by everyone, it ensure that every calls are coming through API Gateway and will be monitored.

Create the API

  1. Connect to your Google Cloud Console : https://console.cloud.google.com/api-gateway/api

2. You might be asked to enable API Gateway API, Service Management API and Service Control API, accept the three of them.

If you prefer command lines, run those :

gcloud services enable apigateway.googleapis.com 
gcloud services enable servicemanagement.googleapis.com
gcloud services enable servicecontrol.googleapis.com

3. Click “Create Gateway”

4.

API Part

Give your API a display name and an ID using small caps and hyphens ONLY.

For our smoothies, I chose the following values :

Name : SmoothAPIID : smoothapi

Keep this ID somewhere accessible, we will need it a few times.

API Config Part

  1. Keep “Create new API config”

2. Choose a Display Name for this config => For an API, you can have many configurations (you might add routes or have a staging, dev and prod config).

Api Config Name : Medium Config

3. API Specs :

API Gateway use the OpenAPI Specification (OAS) to define its APIs.

It’s basically a YAML file defining routes, methods and parameters accepted by an API.

The most important part is in the paths key. It defines different routes of our API : name, method, address, response format.

For this API, download, edit with your PROJECT and upload the following YAML :

4. Service Account

You have to create a service account (https://console.cloud.google.com/iam-admin/serviceaccounts/create) that will be used by API Gateway to call our Cloud Functions. In our Smoothie case, we only need to have a run.invoker role on Google Cloud Function (but you could have Cloud Run and more).

Select “Cloud Function Invoker”

Gateway part

Give a name to the Gateway and a region.

Name : SmoothAPI Gateway

Deployment

Click deplooooy!

Deployment is quite long, it takes from months to years. You can check the progress with the bell on the right top side.

Access the API

After deployment, click the API name.

You will see 4 tabs, click Gateways.

Mine is https://smoothapi-gateway-8bn14ml3.nw.gateway.dev

Gateway URL is the new endpoint from where we can access our Google Cloud Functions.

We can now list smoothies with the route /listSmoothies and order a smoothie with the route /orderSmoothie.

Huuuuurrrrayyyyyy!! Instagramable smoothies!!

In https://console.cloud.google.com/api-gateway/api , after clicking SmoothAPI, we can monitor the number of requests on each route, the number of failure, the latency…

Rate Limit & Secure the API with API Keys

Adding quotas to the API isn’t an easy task : it’s not documented in API Gateway documentation.

But I found a hack.

I explain the hack and also how to add an API Key to the API in this article :

Adios hippos! Thanks for reading!

Future Unicorn Founder — Using tech for good