Secure Google Cloud Functions with API Gateway
Create an interface to protect your resources
In my previous article, I give security advice for full-stack beginners. I talk about many aspects to be considered when deploying a backend online. One of them (and I insist!!) concerns the importance of having an API Gateway protecting public routes.
I will show how to easily set up a gateway that will protect and monitor Google Cloud Functions.
In a second article, I am explaining how to add an API key to the gateway and how to rate limit its usage.
In this tutorial and the following one, I will show how to create two Google Cloud Functions (GET and POST) and set up a secured and monitorable API using API Gateway.
API Gateway gives a lot of flexibility about how we deploy and how we scale our different services. It give an interface that have access to all resources of our API. It provides an API console, hosting, logging, monitoring and other features to help us to create, share, maintain and secure APIs.
To get started, we only need an Open API specification that define each of the resources of our API.
Let’s say we are building an API for a smoothies bar. It will have two routes : GET /listSmoothies and POST /orderSmoothies to respectively get all the available smoothies and order a smoothie.
Not to mention that our smoothies are made with local, seasonal and organic fruits.
This tutorial assumes you have :
- Basic Python knowledge
- Basic Google Cloud Platform knowledge
- Billing enabled for Google Cloud Platform
- Cloud SDK installed
- 15 minutes (10 minutes deployment)
Create Google Cloud Functions
Create two folders : listSmoothies and orderSmoothie and create empty files main.py and requirements.txt :
mkdir orderSmoothietouch listSmoothies/main.py
touch orderSmoothie/main.pytouch listSmoothies/requirements.txt
In /listSmoothies/requirements.txt add this line and save :
In /listSmoothies/main.py, paste this code :
In /listSmoothies folder, run this command to deploy the function in private mode :
gcloud functions deploy listSmoothies --region=europe-west2 --trigger-http --entry-point listSmoothies --runtime python38 --no-allow-unauthenticated
Deployment takes up to 2 minutes.
Once deployed, call the function using the URL given after the command finished :
We get this result :
We’re done for listSmoothie.
In /orderSmoothie/requirements.txt add this line and save :
In /orderSmoothie/main.py, paste this code :
In /orderSmoothie folder, run this command to deploy the function in private mode :
gcloud functions deploy orderSmoothies --region=europe-west2 --trigger-http --entry-point orderSmoothies --runtime python38 --no-allow-unauthenticated
Deployment takes up to 2 minutes.
Once deployed, call the function using Postman and the URL given after the command finished :
We get this result :
We are done for orderSmoothie.
Our functions can’t be accessed by everyone, it ensure that every calls are coming through API Gateway and will be monitored.
Create the API
- Connect to your Google Cloud Console : https://console.cloud.google.com/api-gateway/api
2. You might be asked to enable API Gateway API, Service Management API and Service Control API, accept the three of them.
If you prefer command lines, run those :
gcloud services enable apigateway.googleapis.com
gcloud services enable servicemanagement.googleapis.com
gcloud services enable servicecontrol.googleapis.com
3. Click “Create Gateway”
Give your API a display name and an ID using small caps and hyphens ONLY.
For our smoothies, I chose the following values :
Name : SmoothAPIID : smoothapi
Keep this ID somewhere accessible, we will need it a few times.
API Config Part
- Keep “Create new API config”
2. Choose a Display Name for this config => For an API, you can have many configurations (you might add routes or have a staging, dev and prod config).
Api Config Name : Medium Config
3. API Specs :
API Gateway use the OpenAPI Specification (OAS) to define its APIs.
It’s basically a YAML file defining routes, methods and parameters accepted by an API.
The most important part is in the paths key. It defines different routes of our API : name, method, address, response format.
For this API, download, edit with your PROJECT and upload the following YAML :
4. Service Account
You have to create a service account (https://console.cloud.google.com/iam-admin/serviceaccounts/create) that will be used by API Gateway to call our Cloud Functions. In our Smoothie case, we only need to have a run.invoker role on Google Cloud Function (but you could have Cloud Run and more).
Give a name to the Gateway and a region.
Name : SmoothAPI Gateway
Deployment is quite long, it takes from months to years. You can check the progress with the bell on the right top side.
Access the API
After deployment, click the API name.
You will see 4 tabs, click Gateways.
Gateway URL is the new endpoint from where we can access our Google Cloud Functions.
We can now list smoothies with the route /listSmoothies and order a smoothie with the route /orderSmoothie.
In https://console.cloud.google.com/api-gateway/api , after clicking SmoothAPI, we can monitor the number of requests on each route, the number of failure, the latency…
Rate Limit & Secure the API with API Keys
Adding quotas to the API isn’t an easy task : it’s not documented in API Gateway documentation.
But I found a hack.
I explain the hack and also how to add an API Key to the API in this article :
Rate limit Google Cloud Functions with API Gateway
A free built-in solution after hours reading fuzzy documentations
Adios hippos! Thanks for reading!