This feature request is for extension: firestore-bigquery-export
What feature would you like to see?
I'd like the extension to send an OIDC ID token when it calls the TRANSFORM_FUNCTION URL, so the transform endpoint can be locked down via Cloud Run IAM.
Right now the extension calls the URL with just a Content-Type header — no Authorization. Because of this the transform function has to be granted allUsers invoker access. If you try to limit it (even to the extension's own runtime SA), Cloud Run returns 403 and syncBigQuery fails with FetchError: invalid json response body ... Unexpected token '<'. As far as I can tell this isn't mentioned in the README or PREINSTALL, so it's easy to set up a publicly invokable function without realizing it.
If the extension attached an ID token to the call (using the transform URL as the audience), users could lock the endpoint down via Cloud Run IAM and it would still work for everyone else, since public functions would just ignore the extra header.
How would you use it?
We use TRANSFORM_FUNCTION to strip sensitive fields (private message bodies) before they reach BigQuery, so it sits on the critical path for our privacy guarantees. Keeping the endpoint open to allUsers is uncomfortable — anyone who finds the URL can drive invocations and run up our bill. With ID-token auth we'd grant roles/run.invoker only to ext-<INSTANCE_ID>@<PROJECT>.iam.gserviceaccount.com and drop allUsers.
This feature request is for extension: firestore-bigquery-export
What feature would you like to see?
I'd like the extension to send an OIDC ID token when it calls the
TRANSFORM_FUNCTIONURL, so the transform endpoint can be locked down via Cloud Run IAM.Right now the extension calls the URL with just a
Content-Typeheader — noAuthorization. Because of this the transform function has to be grantedallUsersinvoker access. If you try to limit it (even to the extension's own runtime SA), Cloud Run returns 403 andsyncBigQueryfails withFetchError: invalid json response body ... Unexpected token '<'. As far as I can tell this isn't mentioned in the README or PREINSTALL, so it's easy to set up a publicly invokable function without realizing it.If the extension attached an ID token to the call (using the transform URL as the audience), users could lock the endpoint down via Cloud Run IAM and it would still work for everyone else, since public functions would just ignore the extra header.
How would you use it?
We use
TRANSFORM_FUNCTIONto strip sensitive fields (private message bodies) before they reach BigQuery, so it sits on the critical path for our privacy guarantees. Keeping the endpoint open toallUsersis uncomfortable — anyone who finds the URL can drive invocations and run up our bill. With ID-token auth we'd grantroles/run.invokeronly toext-<INSTANCE_ID>@<PROJECT>.iam.gserviceaccount.comand dropallUsers.