Securing backend services
In addition to authenticating end user requests to your deployed gateway, it is important to secure access between API Gateway and your backend services. You can prevent public access to your backend managed services (Cloud Run, Cloud Run functions, App Engine, etc.) by:
- Permitting only authenticated access to your backend service.
- Granting the necessary permissions to the service account associated with your gateway's API config so that your gateway is authorized to invoke the backend.
This page describes the steps required to secure your backend service and describes the roles and permissions you gateway's service account requires to access those services.
Cloud Run
All Cloud Run fully managed services are deployed privately by default, which means that they can't be accessed without providing authentication credentials in the request.
Cloud Run services are secured by IAM. By default, Cloud Run services can be called by any role containing the run.routes.invoke
permission.
You can configure IAM on Cloud Run (fully managed) services to grant access to additional users.
For API Gateway, access to Cloud Run services is enabled by granting the gateway's service account the appropriate roles and permissions: the roles/run.invoker
role or a role containing the run.routes.invoke
permission.
You can control a gateway's access to an individual service with service-level IAM or to all services within a project with project-level IAM.
If a gateway's request to your Cloud Run service is rejected, ensure that the gateway's service account is granted the roles/run.invoker
role, and that the gateway's service account has the run.routes.invoke
permission. Learn more about the invoker roles and permissions in the Cloud Run IAM reference.
Cloud Functions
For Cloud Run functions backend services, Identity and Access Management (IAM) is used to control the ability to view, create, update and delete functions. IAM enforces authentication of callers to Cloud Run functions services, such as API Gateway, by granting roles.
Granting roles and permissions with IAM allows for control over two sets of actions:
- Developer operations: creating, updating, and deleting functions, as well as managing access to functions.
- Function invocation: causing a function to be executed.
Granting the ability to invoke a function differs for HTTP functions and background functions.
- HTTP functions require authentication by default. You can configure IAM on HTTP functions to specify whether a function allows unauthenticated invocation.
- Background functions can only be invoked by the event source to which they are subscribed.
To enable API Gateway to call your Cloud Functions backend service, grant the gateway's service account the roles/cloudfunctions.invoker
) role, or any role containing the cloudfunctions.functions.invoke
permission.
You can control a gateway's access to an individual function with service-level IAM or to all functions in a project with project-level IAM.
If a gateway's requests to your Cloud Run functions service is rejected, ensure that that the gateway's service account is granted the roles/cloudfunctions.invoker
role, and that the gateway's service account has the cloudfunctions.functions.invoke
permission. Learn more about invoker roles and permissions in the Cloud Functions IAM reference.
App Engine
In order to secure your App Engine app, you must use the Identity Aware Proxy (IAP) to ensure that requests are authenticated.
Follow the steps to Enable IAP for the project in which your App Engine backend service is deployed. Enabling IAP will ensure that access to your App Engine backend application is secured.
To enable API Gateway to call your App Engine backend service, follow the steps in
Setting up IAP access to grant the
service account associated with your gateway the IAP-secured Web App User
role. In addition, grant the service account a role containing the following permissions:
appengine.applications.update
clientauthconfig.clients.create
clientauthconfig.clients.getWithSecret