Authorization

When you add a Google Cloud Functions card to a flow for the first time, you'll be prompted to create a connection. Connecting your account will enable you to save your account information and reuse that connection the next time you build a flow with the connector.

Note: You can create multiple connections and share them with your team.

You can create multiple connections and manage them from your Connections page.

To create a new connection from an Action card:

  1. Click New Connection.

  2. Enter an Connection Nickname. As a best practice, make this nickname unique so that you can connect multiple Google Cloud Functions accounts.

  3. Enter your Project ID, then click Create. You can obtain the project ID from the project URL.

  4. Choose an account, then click Allow.

Set up the Google Cloud Functions Project

Your Google Cloud Functions Project provides access to the Google Cloud Functions API. By using the connector's Custom API Action card, authorized users can call the API for their project. For example, users can call the API to list the cloud functions that are deployed in a particular region. To use the Okta Workflows Custom API Action action card to list all the functions in the project, your Google Cloud Functions Project must be set up properly.

Complete the following steps:

  • Create a Google Cloud Functions project

  • Enable the Google Cloud Functions API (search and enable it in Library). Otherwise, users will not be able to call the API or invoke cloud functions.

  • Enable the Identity and Access Management API (search and enable it in Library). Otherwise, users will not be able to invoke cloud functions.

  • A service account that starts the project name (i.e. {project-name}@appspot.gserviceaccount.com) will be created when the project is created. Add the following role to the service account:

  • Service Account Token Creator
  • The default region for new cloud functions is us-central1.

  • Note that cloud functions with the same name can be deployed to multiple regions.

  • Use the IAM & Admin menu to add users to the project, and assign roles to those users.

    • To invoke a cloud function, a user must be assigned the Cloud Functions Invoker role.

    • Consider assigning other roles to cloud functions: Cloud Functions Admin, Cloud Functions Developer, or Cloud Functions Viewer:

      • Cloud Functions Developer can edit and invoke functions

      • Cloud Functions Admin can add users and change permissions on functions

      • Cloud Functions Viewer can only view functions

Additionally, be aware of the following:

  • When you authenticate using the Invoke Function card you must provide the Google Cloud Project ID. Users are authenticated using IAM roles that are assigned within your Google Cloud Functions Project.

  • When the connector calls a Google Cloud Function it will utilize an ID Token (JWT) for your user.

  • The Invoke Function card requires that the user has Google Functions Invoker role. Calls to unsecure cloud functions is not supported by the Invoke Function card, however users can call unsecure functions using the Custom API Action card.

  • You can only create a secure function at the time of creation by making sure that the Allow unauthenticated invocations checkbox is left unchecked. You cannot secure a function after you've created it. Even if users are assigned to an unsecured function with proper roles, they will not be able to call it.

  • After deployment of a cloud function, security can be configured independently by adding users to the Cloud Functions Invoker role.

Supported Scopes

  • https://www.googleapis.com/auth/cloud-platform

  • https://www.googleapis.com/auth/cloudfunctions

  • openid

  • email

Disclaimer Statement

The app's use of information received from Google Cloud Functions APIs will adhere to Google's Limited Use Requirements.