Secure Google Cloud Functions with API Gateway
Create an interface to protect your resources
In my previous article, I give security advice for full-stack beginners. I talk about many aspects to be considered when deploying a backend online. One of them (and I insist!!) concerns the importance of having an API Gateway protecting public routes.
I will show how to easily set up a gateway that will protect and monitor Google Cloud Functions.
In a second article, I am explaining how to add an API key to the gateway and how to rate limit its usage.
Intro
In this tutorial and the following one, I will show how to create two Google Cloud Functions (GET and POST) and set up a secured and monitorable API using API Gateway.
API Gateway gives a lot of flexibility about how we deploy and how we scale our different services. It give an interface that have access to all resources of our API. It provides an API console, hosting, logging, monitoring and other features to help us to create, share, maintain and secure APIs.
To get started, we only need an Open API specification that define each of the resources of our API.
Let’s say we are building an API for a smoothies bar. It will have two routes : GET /listSmoothies and POST /orderSmoothies to respectively get all the available smoothies and order a smoothie.
Not to mention that our smoothies are made with local, seasonal and organic fruits.
Prerequisite
This tutorial assumes you have :
- Basic Python knowledge
- Basic Google Cloud Platform knowledge
- Billing enabled for Google Cloud Platform
- Cloud SDK installed
- 15 minutes (10 minutes deployment)
Create Google Cloud Functions
Create two folders : listSmoothies and orderSmoothie and create empty files main.py and requirements.txt :
mkdir listSmoothies
mkdir orderSmoothietouch listSmoothies/main.py
touch orderSmoothie/main.pytouch listSmoothies/requirements.txt
touch orderSmoothie/requirements.txt
List Smoothies
In /listSmoothies/requirements.txt add this line and save :
flask==1.1.2In /listSmoothies/main.py, paste this code :
In /listSmoothies folder, run this command to deploy the function in private mode :
gcloud functions deploy listSmoothies --region=europe-west2 --trigger-http --entry-point listSmoothies --runtime python38 --no-allow-unauthenticatedDeployment takes up to 2 minutes.
Once deployed, call the function using the URL given after the command finished :
https://europe-west2-YOUR-PROJECT.cloudfunctions.net/listSmoothiesWe get this result :
We’re done for listSmoothie.
Order Smoothie
In /orderSmoothie/requirements.txt add this line and save :
flask==1.1.2In /orderSmoothie/main.py, paste this code :
In /orderSmoothie folder, run this command to deploy the function in private mode :
gcloud functions deploy orderSmoothies --region=europe-west2 --trigger-http --entry-point orderSmoothies --runtime python38 --no-allow-unauthenticatedDeployment takes up to 2 minutes.
Once deployed, call the function using Postman and the URL given after the command finished :
https://europe-west2-YOUR-PROJECT.cloudfunctions.net/orderSmoothiesWe get this result :
We are done for orderSmoothie.
Our functions can’t be accessed by everyone, it ensure that every calls are coming through API Gateway and will be monitored.
Create the API
- Connect to your Google Cloud Console : https://console.cloud.google.com/api-gateway/api
2. You might be asked to enable API Gateway API, Service Management API and Service Control API, accept the three of them.
If you prefer command lines, run those :
gcloud services enable apigateway.googleapis.com
gcloud services enable servicemanagement.googleapis.com
gcloud services enable servicecontrol.googleapis.com 3. Click “Create Gateway”
4.
API Part
Give your API a display name and an ID using small caps and hyphens ONLY.
For our smoothies, I chose the following values :
Name : SmoothAPIID : smoothapi
Keep this ID somewhere accessible, we will need it a few times.
API Config Part
- Keep “Create new API config”
2. Choose a Display Name for this config => For an API, you can have many configurations (you might add routes or have a staging, dev and prod config).
Api Config Name : Medium Config3. API Specs :
API Gateway use the OpenAPI Specification (OAS) to define its APIs.
It’s basically a YAML file defining routes, methods and parameters accepted by an API.
The most important part is in the paths key. It defines different routes of our API : name, method, address, response format.
For this API, download, edit with your PROJECT and upload the following YAML:
(IMPORTANT NOTE) As of March 2023, API Gateway still use OpenAPI v2. If you are adding path parameters or other specific need, check the correct version ;)
4. Service Account
You have to create a service account (https://console.cloud.google.com/iam-admin/serviceaccounts/create) that will be used by API Gateway to call our Cloud Functions. In our Smoothie case, we only need to have a run.invoker role on Google Cloud Function (but you could have Cloud Run and more).
Gateway part
Give a name to the Gateway and a region.
Name : SmoothAPI GatewayDeployment
Click deplooooy!
Deployment is quite long, it takes from months to years. You can check the progress with the bell on the right top side.
Access the API
After deployment, click the API name.
You will see 4 tabs, click Gateways.
Mine is https://smoothapi-gateway-8bn14ml3.nw.gateway.dev
Gateway URL is the new endpoint from where we can access our Google Cloud Functions.
We can now list smoothies with the route /listSmoothies and order a smoothie with the route /orderSmoothie.
In https://console.cloud.google.com/api-gateway/api , after clicking SmoothAPI, we can monitor the number of requests on each route, the number of failure, the latency…
Rate Limit & Secure the API with API Keys
Adding quotas to the API isn’t an easy task : it’s not documented in API Gateway documentation.
But I found a hack.
I explain the hack and also how to add an API Key to the API in this article :
Adios hippos! Thanks for reading!
