Netlify Functions & Working with Google Maps API Key Restrictions

Hi there,

I have a Gatsby site that I’m deploying to Netlify using the following parameters:

My site uses Netlify Functions in the following scenario:

  • Google Maps Geocoding API
  • When a user enters in an address on a form, the address is passed to a Netlify Function which calls the Google Maps Geocoding API and returns a { lat, long } object.

The problem:

  1. Per Google Maps, the only restrictions I can place on “web service” APIs, including the Geocoding API, are IP address based.

  1. When I ping my customdomain.com, it appears to return a relatively static IP address, however, is this susceptible to change? How frequently? And how can I effectively restrict my API key in this scenario?

  2. When I ping my staging.customdomain.com, it often returns a dynamic address after completing a new deploy. How can I restrict the API key in this scenario?

Any help would be greatly appreciated! Thanks.

Hey @ardiewen,

You might find the following discussion useful. In short, this isn’t possible with Netlify Functions but not impossible!

Hey @Pieparker, thanks for following up. I feared as much.

Would an appropriate solution be to:

  1. Remove restrictions on the Google API key
  2. Restrict access to the lambda function using the http-referer header?

Understanding that if someone were to get access to the key itself, they would still be able to hit the API unrestricted. The idea is, at least they wouldn’t be able to hit my site to use the API.

I understand that static IP address restrictions are not “in the spirit of” serverless functions, but given the restrictions placed upon us by API providers, I’m trying to understand what the best practice is for handling this situation.

I’d like to keep everything on the Netlify platform as opposed to some of the other solutions such as spinning up a VPS.

Any additional comments would be welcome! Thanks.

@ardiewen, I actually ran into that issue myself. What I did was to obfuscate my api key in a lambda function: https://github.com/depadiernos/token-hider-inator. You can combine that with the http-referer header and that should get you pretty close to what you want. Let me know if that helps.