5

According to the Google documentation, The 'allAuthenticatedUsers' member would include anybody that is authenticated included regular gmail accounts. So I gave that member the 'Cloud Functions Invoker' role, thinking that any authenticated user should be able to invoke my google cloud function. That is not working. I get the following results:

Error: Forbidden Your client does not have permission to get URL /function-1 from this server.

I have proven that if I grant the 'Cloud Functions Invoker' role to 'allUsers', then the function can be invoked. So I know the function works (it is the default function that google cloud creates).

So why doesn't granting 'allAuthenticatedUsers' member the 'Cloud Functions Invoker' role work for google cloud functions? What am I missing?

Thank you

mj21
  • 141
  • 1
  • 7
  • 1
    How are you testing this? What headers have you added to the request? Your code/app is required to add the HTTP header `Authorization: Bearer IDENTITY_TOKEN` to the request. Edit your question with code for the client making the request or a capture of the HTTP request with headers. – John Hanley Oct 05 '19 at 15:57
  • I did two tests. The first one using postman, where I got the access token by using an oauth client I created under my project. The token was sent as the bearer token. That didn't work. My second test was to simply go to chrome, login to google and then call the URL of the function. I have not written client code yet since I'm unable to make it work through postman. – mj21 Oct 05 '19 at 22:49
  • @JohnHanley I just tried using the identity token instead of the access token and that didn't work either. – mj21 Oct 05 '19 at 23:11
  • 2
    Neither method that you used are valid. For the first method, you need to use an Identity Token, you used an Access Token. For the second method, Chrome does not add an Identity Token when calling your endpoint. Adding the Authorization header is something that you must code and include in HTTP requests. For browsers this means writing Javascript. Notice my emphasis on Identity Token. Access Tokens will not work. – John Hanley Oct 05 '19 at 23:11
  • 1
    @JohnHanley Thank you very much! it works. I must have done something wrong when I tried the identity token before. That token has probably expired by now and that's why my attempt failed 10 minutes ago. I just got a new token and it worked :) So the key thing here is to use the **id_token not access_token** Thank you very much! – mj21 Oct 05 '19 at 23:26
  • 2
    @mj21 Could you tell me how you were able to get the ID token? We are using firebase.auth().currentUser.getIdToken().then(token ... and sending that in a Authorization: Bearer {token} header, but still getting 403 errors, so we've ended up having to give the invoker role to allUsers :( – bishbashbosh Jun 29 '20 at 10:49

3 Answers3

8

Correct Answer

Credit goes to John Hanley. I needed to use the id_token instead of my access_token in the bearer token authorization header.

I'm not sure how to mark this question as answered. I couldn't accept the comment, nor could I accept my own answer. My object is to help others who are having the same question by Marking this question as answered but I cannot do it. Weird!

Please Mark the answer as correct if you can.

mj21
  • 141
  • 1
  • 7
0

You should not apply the allUsers and allAuthenticatedUsers on the project-level according to the Cloud Functions Docs (see the note in "Controlling access on all functions in a project"). Can you try to apply this to that single function you want to protect?

petomalina
  • 2,020
  • 2
  • 19
  • 25
  • Thanks for the response. Yes, I applied it at the function level not project level. But that doesn't work. – mj21 Oct 05 '19 at 14:09
0

You can apply this role on a single function.

If you want to secure all your resources on your project, I mean, if you don't want to allow allUsers on GCP resources like Function, Cloud Run, Storage (...), you can activate the Domain Restriction Sharing Policy (DRS). With it, allUsers is forbidden.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76