Developer Guide: GCP Cloud Functions, Endpoints & ESP (Extended Server Proxy)

The first thing to keep in mind is permissions!.


Deploy an HTTP service(Cloud Function) on Cloud Run (fully managed) by using Cloud Endpoint (HTTP Proxy) and expose the service publically through a proxy, ESP (External Service Proxy).

Basic Concepts

  1. The service is a definition of HTTP methods handlers. You can define a handler in any language. The function needs to process an HTTP request and return an HTTP response.
// Package p contains an HTTP Cloud Function.
package p

import (

// This function can act as a request router too and check for HTTP method type.
func HelloWorld(w http.ResponseWriter, r *http.Request) {
  var d struct {
    Message string `json:"message"`
  if err := json.NewDecoder(r.Body).Decode(&d); err != nil {
    fmt.Fprint(w, "Hello World!")
  if d.Message == "" {
    fmt.Fprint(w, "Hello World!")
  fmt.Fprint(w, html.EscapeString(d.Message))
  1. Next, we need an HTTP server to call these methods. A cloud function exposes these handlers to Cloud Endpoint. You just plug handlers to the HTTP Proxy.

  2. The mapping of a handler to a path is defined using a YAML file (e.g. OpenAPI). We will come to that after spawning and deploying an HTTP Proxy server.

  3. Extensible Service Proxy is the solution for the proxy. Deploy it as explained in Deploying Cloud Endpoint. The deployment creates a container for ESP and a public HTTP address. Make sure that you pass --allow-unauthenticated.

  4. The public HTTP address of ESP is used by your application clients. The ESP needs to know the request routing. So we define a mapping of request path => HTTP method & Cloud Function Name.

  5. The Cloud Function becomes backend for the ESP.

  6. GCP uses a service account entity as a manager for Cloud Functions, ESP and Endpoint. The account has a role and permissions.

At a minimum, Endpoints and ESP require the following services:

  1. Make sure that the Cloud Function has privileges on used resources such as pubsub.

  2. At the end, you MUST enable public, unauthenticated access to the ESP. Without running this step, you will get error as following:

$ curl -X POST -H "content-type:application/json" -d "user_id":"123u" ""
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>403 Forbidden</title>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Forbidden</h1>
<h2>Your client does not have permission to get URL <code>/pubsub-function</code> from this server.</h2>


  • Test the Cloud Function inependently from Google Console
  • Test the ESP from Cloud Run console. You will see all error logs here.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: