This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Pub/Sub behind an API Gateway

Posted on 05-22-2023 08:10 AM
Antho31
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

I am interested in being able to publish messages to a Pub/Sub topic without having to go through an OAuth 2 authentication flow.

I am open to considering any alternative long-term solution, such as using an API Key or a JWT token with either no expiration or a long-term expiration.

Is it possible to publish messages using a simple HTTP POST request to my Pub/Sub topic solely with an API key?

Currently, I achieve this by sending the POST request to an API Gateway, which then forwards it to a Cloud Function responsible for publishing the message to my Pub/Sub Topic.

Is there any way to achieve the same result without using the function?

Thank you and regards,

Solved Solved
0 2 3,534
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ms4446
Staff
Reply posted on --/--/---- --:-- AM

You cannot directly use an API key to authenticate requests to Google Cloud Pub/Sub. Google Cloud Pub/Sub uses OAuth 2.0 for its authentication and does not support API keys for this purpose.

Google's security model relies heavily on short-lived access tokens (which typically expire after an hour) and does not support long-term JWTs or non-expiring tokens. This is primarily a security measure, as short-lived tokens limit the potential damage if a token is compromised.

However, there is a suggested workaround in a the following blog post to use Google Cloud Endpoints, which would act as a custom endpoint for your API. You can then use API keys to authenticate the requests that are being made to this custom endpoint. The endpoint would then forward the requests to your Pub/Sub topic

This approach does require you to provide a backend for your API. The backend can be deployed in Google App Engine (GAE), Google Compute Engine (GCE), or Google Kubernetes Engine (GKE). The Cloud Endpoints would then serve as a proxy for your API​.

For information see: https://cloud.google.com/pubsub/docs/building-pubsub-messaging-system#quickstart_setup 

This solution is somewhat similar to your current setup with the API Gateway and Cloud Function, but it all stays within the Google Cloud environment. However, do note that this still involves an intermediary (the custom endpoint) and is not a direct publishing to the Pub/Sub topic using an API key.

 

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
ms4446
Staff
Reply posted on --/--/---- --:-- AM

You cannot directly use an API key to authenticate requests to Google Cloud Pub/Sub. Google Cloud Pub/Sub uses OAuth 2.0 for its authentication and does not support API keys for this purpose.

Google's security model relies heavily on short-lived access tokens (which typically expire after an hour) and does not support long-term JWTs or non-expiring tokens. This is primarily a security measure, as short-lived tokens limit the potential damage if a token is compromised.

However, there is a suggested workaround in a the following blog post to use Google Cloud Endpoints, which would act as a custom endpoint for your API. You can then use API keys to authenticate the requests that are being made to this custom endpoint. The endpoint would then forward the requests to your Pub/Sub topic

This approach does require you to provide a backend for your API. The backend can be deployed in Google App Engine (GAE), Google Compute Engine (GCE), or Google Kubernetes Engine (GKE). The Cloud Endpoints would then serve as a proxy for your API​.

For information see: https://cloud.google.com/pubsub/docs/building-pubsub-messaging-system#quickstart_setup 

This solution is somewhat similar to your current setup with the API Gateway and Cloud Function, but it all stays within the Google Cloud environment. However, do note that this still involves an intermediary (the custom endpoint) and is not a direct publishing to the Pub/Sub topic using an API key.

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Antho31
Bronze 1
Bronze 1
In response to ms4446
Reply posted on --/--/---- --:-- AM

 

Thank you for your comprehensive response. It reinforces my current understanding.

I'm unsure whether utilizing GAE/GCE/GKE is more advantageous or not, but employing a cloud function appears significantly simpler to me since it only requires a few lines of code to publish to Pub/Sub.

Jump to Solution
0 Likes
Top Solution Authors
View all