FaaS handler authentication
Description
Add a generic method for implementing application authentication within an FaaS function and include the method in the FaaS library.
Further details
We can add an authentication check to the CloudRun service managed through Cloud IAM permissions i.e. granting the invoker role to the relevant service account.
However, we might want to add additional AuthN check within the application to protect against accidental unauthenticated exposure of the function through misconfiguration.
Suggested Solution
Push subscription only:
- Configure the use of a OIDC token.
- Add a decorator or similar for verifying the token provided.
- Optional, check the claim email against the expected service account email.
Backlog
- Should we add an additional layer of AuthN?
- Check Suggested Solution otherwise remove.
Acceptance criteria
- A "function" using this method rejects requests without AuthN information i.e. authN token.
- A "function" using this method rejects requests if the AuthN information is incorrect.
- A "function" using this method executes the function if AuthN information is correct.
- AuthN method is published within the FaaS library.
- Optional: method is python framework agnostic.
Edited by James Barr