Invoking HTTP Google Cloud Function from Google App Engine service in the same project

Goal

To build an encryption/decryption module. Since it did not require sharing state between executions and the module was simple and single-purpose, the decision was to use GCF.

Mechanism

Once the cloud function is created, it uses Google Key Management Service (KMS) to encrypt and decrypt data.

Configuration

It was configured to be HTTP triggered (there are other ways to trigger it) and authentication enabled (unauthenticated is the other option — it would make the function accessible to the public). Simply put, google gave an https URL which when invoked would call the cloud function if authenticated.

Getting ID Token & Calling the Function

  1. Call http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=<your_function_url> with header Metadata-Flavor: Google(this makes sure the default service account is used)
  2. The received token has to be used in Authorization header, with bearer as prefix.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store