19

Whenever I have to deploy a new python function using the gcloud sdk I get this message

Allow unauthenticated invocations of new function [function-name]?

(y/N)?

WARNING: Function created with limited-access IAM policy. To enable unauthorized access consider

"gcloud alpha functions add-iam-policy-binding function-name --region=europe-west1 --member=allUsers --role=roles/cloudfunctions.invoker"

Is there any flag I can add to the command to make it a NO when deploying?

This is a sample command I use to deploy one function:

gcloud functions deploy function-name --region=europe-west1 --entry-point function-entry-point --trigger-resource "projects/my-project/databases/(default)/documents/user_ids/{user_id}" --trigger-event providers/cloud.firestore/eventTypes/document.create --runtime python37 --timeout 60 --project my-project
Dustin Ingram
  • 20,502
  • 7
  • 59
  • 82
Guanaco Devs
  • 1,822
  • 2
  • 21
  • 38
  • What happens if you specify a service account with the `--service-account` flag? – McKay M May 01 '20 at 23:52
  • Added the full warning message that suggest using `gcloud alpha`. There is: https://cloud.google.com/sdk/gcloud/reference/functions/deploy#--allow-unauthenticated, but the thing is that I do not want to allow unauthenticated calls. How do you suggest to use `--service-account` – Guanaco Devs May 02 '20 at 00:31
  • 1
    Specify a service account to gain access to the cloud function. Maybe that error is thrown if you give no information about permissions. I was reading the comments on this thread: https://stackoverflow.com/questions/57122047/google-cloud-function-not-created-with-private-access – McKay M May 02 '20 at 00:36
  • That's the same question I have. But the thing is that I do not want to set any IAM policy other than not access to unauthorized access by using the `deploy` command, I already tried the `beta` and `alpha` as suggested there but still is asking me for IAM policy. I'm looking for a flag to add to the `deploy` command. – Guanaco Devs May 02 '20 at 00:54
  • What is your use case? – McKay M May 02 '20 at 00:56
  • Is a python `cloud-function` – Guanaco Devs May 02 '20 at 00:59
  • Seems like `--quiet` will ignore the question, will give me the `WARNING` but will default the function with limited IAM policy. Which is what I want. – Guanaco Devs May 02 '20 at 01:00

3 Answers3

17

I just encountered this problem as well and discovered that you can supply --no-allow-unauthenticated to pre-emptively answer "no" to this question.

gcloud functions deploy MyFunction \
  --runtime=go116 --trigger-http --no-allow-unauthenticated
David
  • 618
  • 5
  • 9
10

From https://cloud.google.com/sdk/docs/scripting-gcloud#disabling_prompts:

You can disable prompts from gcloud CLI commands by setting the disable_prompts property in your configuration to True or by using the global --quiet or -q flag.

So for your example, you could run:

gcloud functions deploy function-name --quiet --region=europe-west1 --entry-point function-entry-point --trigger-resource "projects/my-project/databases/(default)/documents/user_ids/{user_id}" --trigger-event providers/cloud.firestore/eventTypes/document.create --runtime python37 --timeout 60 --project my-project
Dustin Ingram
  • 20,502
  • 7
  • 59
  • 82
  • 2
    I think that's just a workaround rather than a solution. – Guanaco Devs May 02 '20 at 02:45
  • 1
    This answer seems to be the officially recommended way to answer this question rather than a workaround as suggested in other comments. From the docs: "_Some gcloud CLI commands are interactive, prompting users for confirmation of an operation or requesting additional input for an entered command. In most cases, this is not desirable when running commands in a script or other automation. You can disable prompts from gcloud CLI commands [...] by using the global `--quiet` or `-q` flag_". I think the downvotes aren't justified – Voy Dec 10 '20 at 08:13
8
  1. Select the service
  2. Click Show Info Panel to display the Permissions tab.
  3. In the Add members field, allUsers
  4. Select the Cloud Functions Invoker from roles
  5. Add

or

  gcloud functions add-iam-policy-binding FUNCTION \
  --member='serviceAccount:FUNCTION_IDENTITY' \
  --role='roles/cloudfunctions.invoker'

 gcloud run services add-iam-policy-binding [SERVICE_NAME] \
    --member="allUsers" \
    --role="roles/cloudfunctions.invoker"
Tiago Medici
  • 1,944
  • 22
  • 22