Step 5: Set the Security Policy for the Proxy Service (Google Cloud API Gateway)

These instructions show how to set the security policy on your Google Cloud API Gateway.

The previous steps create a Google Cloud Function that can be called by anyone who has the correct Google Cloud API Gateway endpoint. Unless you want your endpoint to be open to the public, you should secure it by adding a customized securityDefinitions section to the configuration file for the API definition.

In this Topic:

Update the Configuration File

The name of the configuration file is recorded in the “Configuration File Name” field of the worksheet. The instructions below show you how to add a securityDefinitions section to the configuration file. After this is added, customized, loaded, and deplayed, only Snowflake can call your Cloud Function through the API Gateway.

  1. Add the following securityDefinitions section to the configuration file. Add this just above the schemes: section of the configuration file and at the same indentation level.

    securityDefinitions:
      <security-def-name>:
        authorizationUrl: ""
        flow: "implicit"
        type: "oauth2"
        x-google-issuer: "<gmail service account>"
        x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/<gmail service account>"
    
  2. Replace the <security-def-name> with a unique security definition name (e.g. snowflakeAccess01).

  3. Record this name in the “Security Definition Name” field in the worksheet.

  4. Replace the <gmail service account> with the value in the “API_GCP_SERVICE_ACCOUNT” field of the worksheet. Make the change in two fields in the configuration file:

    1. The x-google-issuer field.

    2. The end of the x-google-jwks_uri field.

  5. Update the post: section of the configuration file to reference the security definition that you created above.

    1. Below the operationId field, add:

      security:
        - <security-def-name>: []
      

      This should be indented at the same level as the operationId field.

      Replace <security-def-name> with the value in the “Security Definition Name” field in the worksheet.

      Make sure to include a hyphen and a blank prior to the security definition name, as shown above.

      Make sure to include the empty square braces ([]) after the colon.

      For example:

      security:
        - snowflakeAccess01: []
      

      Your updated configuration file should look similar to the following:

      swagger: '2.0'
      info:
        title: API Gateway config for Snowflake external function
        description: This configuration file connects the API Gateway resource to the remote service (Cloud Function).
        version: 1.0.0
      securityDefinitions:
        snowflakeAccess01:
          authorizationUrl: ""
          flow: "implicit"
          type: "oauth2"
          x-google-issuer: "<API_GCP_SERVICE_ACCOUNT>"
          x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/<API_GCP_SERVICE_ACCOUNT>"
      schemes:
        - https
      produces:
        - application/json
      paths:
        /demo-func-resource:
          post:
            summary: Echo the input
            operationId: operationID
            security:
              - snowflakeAccess01: []
            x-google-backend:
              address: <Cloud Function Trigger URL>
              protocol: h2
            responses:
              '200':
                description: <DESCRIPTION>
                schema:
                  type: string
      
  6. Save the configuration file.

Reload the Updated Configuration File

  1. On the Gateways page, click on the name of your gateway.

  2. Click on EDIT.

  3. Under API Config, click in the box titled Select a Config.

  4. Select the option Create new API config.

  5. In the box that contains Upload an API Spec, click on the BROWSE button.

  6. Select the desired YAML file, which you created previously. Check that it has the extension “.yaml” or “.yml”.

  7. Enter the Display Name. Use a new, unique name, not the name that you used previously.

  8. If you are asked to Select a Service Account, then select App Engine default service account.

    If you are creating a function to use in production (rather than as a sample), you might choose a different service account.

    The selected service account must have appropriate privileges, including privileges to call the Google Cloud Function.

  9. You should now be back on the page for your API gateway. If the Config field shows the old API config file’s display name, then:

    1. Click on EDIT.

    2. Under API Config, find the Select a Config box again, and click in the box.

    3. Select the new API config.

    4. Click the UPDATE button.

      This takes you back to the list of API gateways.

    5. You might need to wait a few minutes while the API Gateway is updated.

      You might see an icon to the left of the API gateway name that indicates that the gateway is being refreshed.

      You can click on the REFRESH button above the gateway name to check whether the refresh is still in progress. After the icon to the left of

      the gateway name disappears, the gateway should be fully refreshed, and you can continue to the next step.

  10. To make sure that your external function works correctly with the new security configuration file, call your external function again. For details, see Calling an External Function for GCP.