4

I have a service on Cloud Run (Service A) who is trying to call another service on Cloud Run (Service B). Both the services are in us-east1. For Service B, Ingress is set to 'Allow internal traffic only' and Authentication is set to 'Allow unauthenticated invocations.

I created a Serverless VPC Connector in the same region as the services and set the IP address range to 10.8.0.0/28. 

I then connected Service A to the connector mentioned above and set 'Route only requests to private IPs through the VPC connector'.

I seem to be getting a 403 when attempting to hit the service. Has anyone had this issue? If so, how did you solve this problem?

snowman
  • 85
  • 6

4 Answers4

4

You need to set the egress to All, to route all the traffic to the serverless VPC connector.

Indeed, even if you set the service B to internal egress, the Cloud Run service is still exposed publicly, but an additional check is performed on the requests that come in to validate the traffic origin (comes from your VPC or not).

In your case, in the service A, with the private range only egress, you route only the traffic going to private IP, and it's not the case of the always-publicly-exposed "internal" service B.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • Hey @guillaumeblaquiere , thanks for all the answers you provide, I'm looking for a bit more on this answer, such as a recommended method if `service A` needs to access the internet. I asked the question here https://stackoverflow.com/questions/68319456/gcp-cloudrun-add-nat-gateway-or-internal-service-ingress-all , could you provide some insight? – Kevin Danikowski Jul 09 '21 at 15:43
0

I am guessing that the code 403 you are getting it from the cloud run service and that is a problem with the authentication, so to solve that error code you could follow this link, there you will find a detail explanation of how authenticated users for you services.

Robertocd_98
  • 404
  • 2
  • 8
0

I was able to fix this issue. This must be used when you have to use authenticated user to access cloud run application

Accessing Authenticated Cloud Run applications using IAP

sidharth vijayakumar
  • 1,190
  • 5
  • 29
-1

It means that your client is not authorized to invoke this service. You can address this by taking one of the following actions:

  1. If the service is meant to be invocable by anyone, update its IAM settings to make the service public.
  2. If the service is meant to be invocable only by certain identities, make sure that you invoke it

Please find the link that might help in troubleshooting this error.

tomerpacific
  • 4,704
  • 13
  • 34
  • 52
Lavanya LNU
  • 44
  • 1