Api gateway for Microservices with Google Cloud Functions

问题

Inputs

For example, we have a few services.

1. Account service
2. Product service
3. Payment service

Each service is a separate Google Cloud Function. Each service has its own HTTP API. For example, the account service has:

1. https://REGION-FUNCTIONS_PROJECT_ID.cloudfunctions.net/account/sign-up
2. https://REGION-FUNCTIONS_PROJECT_ID.cloudfunctions.net/account/sign-in
3. https://REGION-FUNCTIONS_PROJECT_ID.cloudfunctions.net/account/reset-password
4. etc

Each service has its own swagger documentation endpoint /docs.

Question

How can I make my Cloud Functions private (without public access) and place them behind some API Gateway?

Notes

Google offers Endpoints for Cloud Functions (see https://cloud.google.com/endpoints/docs/openapi/get-started-cloud-functions ). But, as I understand it, Endpoints allow you to define only the yaml OpenAPI file.

In this yaml file, I can define something like this:

swagger: '2.0'
info:
  title: Cloud Endpoints + GCF
  description: Sample API on Cloud Endpoints with a Google Cloud Functions backend
  version: 1.0.0
host: HOST
schemes:
  - https
produces:
  - application/json
paths:
  /hello:
    get:
      summary: Greet a user
      operationId: hello
      x-google-backend:
        address: https://REGION-FUNCTIONS_PROJECT_ID.cloudfunctions.net/helloGET
      responses:
        '200':
          description: A successful response
          schema:
            type: string

But in my case, I need to have ability to proxy my cloud functions (like reverse proxy).

回答1:

You can use endpoint. Of course, you have to define your OpenAPI yaml file manually (version 2.0, not 3!). Use wildcard and path translation definition

...
paths:
  /account/*:
      get:
        summary: sign-up a user
        operationId: sign-up
        x-google-backend:
          address: https://REGION-FUNCTIONS_PROJECT_ID.cloudfunctions.net
          path_translation: APPEND_PATH_TO_ADDRESS
       responses:
          '200':
            description: A successful response
            schema:
              type: string

The APPEND_PATH_TO_ADDRESS simply paste the path value at the end of your backend definition. By the way, with only this definition, you can reach all your private function endpoint and sub-endpoint, like your swagger documentation.

You can protect your gateway with API KEY (I wrote an article on this) but there is also another security solution in the documentation.

However you couldn't use the developer portal proposed by Endpoint because it's based on the Endpoint yaml file definition and not aggregate all the discovered service definition (in your /docs path).

回答2:

Use apigee which is part of google cloud platform and purpose made for your use case

回答3:

To your Question - How can I make my Cloud Functions private (without public access) and place them behind some API Gateway?

if you want to manage Cloud function access level(like develop/update/deploy OR invocation OR no access), you can do that via Cloud IAM service (https://cloud.google.com/iam/).

Apart from that Apigee(API Gateway) also has a nice mechanism to achieve this goal.

In Apigee Try performing these steps-

1. Onboard your endpoint(You can take reference - https://docs.apigee.com/)
2. Encapsulate your Apigee on-boarded endpoints to Apigee API Products where you can configure API product to have certain API endpoints only.
3. Add a Developer App to the product(you can prefix your product name something like public, reserved OR private). You might want to have multiple such Developer app connected to different types of Products and get multiple credentials sets for the them. Now based on which type of API product, the developer APP(Credentials set) is attached to, you can make your google function public OR private.

Check out the link for OAuth security provided by Apigee out of the box - https://www.youtube.com/watch?v=hZbyR8L-IIs

回答4:

The GCP way to achieve control access is via IAM Service Accounts link.

In this case, it would be necessary to:

• Assign the Cloud Function Invoker Role to the service account of the service that calls this function (E.g. App Engine, GKE and Cloud Tasks).
• Restrict the Cloud function by requiring IAM permissions. Link

By doing so, the Cloud Function URL will be private and any non-authenticated user will receive a 403 HTTP error.

来源：https://stackoverflow.com/questions/59006794/api-gateway-for-microservices-with-google-cloud-functions