2

I have a Google Cloud Function with a HTTP trigger (which triggers on click on the trigger URL). The permissions for the Cloud Function were on "allUsers" which allows anyone with the link to trigger the function, which is not desired.

Then I saw that it was possible to restrict this by selecting certain Cloud Function Invokers but this does not seem to work : the selected Cloud Function Invokers get an "Access Forbidden" error when triggering the Cloud Function via clicking on the Trigger URL, like if they were not authenticated. Have anyone found a fix for this ?

Thank you

Richard BEN
  • 41
  • 2
  • What do you mean by "this does not seem to work"? What exactly did you try? You have to pass along the service account credentials with invoker permission in the request in order to authenticate the call. – Doug Stevenson Aug 03 '22 at 13:10
  • See also: https://stackoverflow.com/questions/46358013/secure-google-cloud-functions-http-trigger-with-auth?rq=1 – Sander van den Oord Sep 09 '22 at 09:27

1 Answers1

1

If you no longer access with you remove the allUsers permission is a good sign!

The problem is your access method. You are using your own user account (who has the Cloud FUnction invoker role) but with your browser. Your request with your browser is without any authentication header.

If you want to call your cloud function now, you have to add an authorization header, and an identity token as bearer value. That command works

curl -H "Authorization: bearer $(gcloud auth print-identity-token)" <cloud function URL>

Note that you need an identity token, not an authorization token.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76