403 Response from Google Cloud Functions

Question

I'm receiving the following error when trying to execute a Cloud Function endpoint from the web:

<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 403 (Forbidden)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5pxno-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
  </style>
  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  <p><b>403.</b> <ins>That’s an error.</ins>
  <p>Access is forbidden.  <ins>That’s all we know.</ins>

I followed this tutorial: https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/functions/helloworld/main.py

When calling the function as noted here: https://cloud.google.com/functions/docs/writing/http, I receive a 403 error. I'm logged into the gcloud project and using the correct user.

Deploy command:

gcloud beta functions deploy hello_get --runtime python37 --trigger-http

From this doc: https://cloud.google.com/functions/docs/concepts/python-runtime

Called it with this command: curl -X POST https://<REGION-PROJECT_ID>.cloudfunctions.net/hello_get

From this doc: https://cloud.google.com/functions/docs/writing/http

It's odd because this started happening about 3 weeks ago. Old functions stopped working and return a 403 response. I deployed the sample function in the UI and it only works when deploying from the UI but fails with a 403 when going to the endpoint via an http request.

Also, the function successfully executes when using the command: gcloud functions call hello_get

Was there a change in GCF auth over the last couple of weeks?

UPDATE I was able to identify the issue. The project I was on and user was in a beta auth program. After switching to a user and project not in the program, I was able to access the endpoint.

Thank you for the help.

Answer 1

Based on Mike's accepted answer and upstream bug report here's the way to do it with Terraform (given a google_cloudfunctions2_function.function).

resource "google_cloudfunctions2_function_iam_member" "public_invoker" {
  project        = google_cloudfunctions2_function.function.project
  location       = google_cloudfunctions2_function.function.location
  cloud_function = google_cloudfunctions2_function.function.name
  role           = "roles/cloudfunctions.invoker"
  member         = "allUsers"
}

resource "google_cloud_run_service_iam_member" "public_invoker" {
  location = google_cloudfunctions2_function.function.location
  service  = google_cloudfunctions2_function.function.name
  role     = "roles/run.invoker"
  member   = "allUsers"
}

Answer 2

If you're using 2nd Gen functions after deployment, the process is a little bit different from @Mike Karp's answer (which seems like it should work). You need to:

1. Go to Google Cloud console

2. Click the linked name of the function to which you want to grant access.

3. Click the Powered By Cloud Run link in the top right corner of the Function details overview page.

4. Open the Security tab, and under Authentication, select Allow unauthenticated invocations.

5. Click Save.

Source: https://cloud.google.com/functions/docs/securing/managing-access-iam

Answer 3

On deploy via gcloud add the --allow-unauthenticated flag and then add the member allUsers with the invoker role to the function configuration.

Sample

gcloud functions deploy my-function --gen2 --region=us-central1 --runtime=nodejs16  --entry-point=myFunction  --trigger-http --allow-unauthenticated


gcloud functions add-iam-policy-binding my-function --member="allUsers" --role="roles/cloudfunctions.invoker" --region=us-central1

FYI: https://cloud.google.com/functions/docs/securing/managing-access-iam#allowing_unauthenticated_http_function_invocation

Answer 4

It seems to me that additional IAM functionality was added to Google Cloud Functions, and as a result, you may have not turned on allUser access to the function (FYI this give acess to the whole web).

1. On the Cloud Functions homepage, highlight the Cloud Function you want to add all access to.

2. Click "Permissions" on the top bar.

3. Click "Add Principal" and type "allUsers" then select "Cloud Function Invokers" under "Cloud Function" in the Role box.

4. Click "Save"

5. Click "Allow Public Access"

**Updated for new Google UI for Cloud Functions

Answer 5

Use could use postman to send the request and to get the JWT

gcloud auth print-identity-token

Answer 6

I went through some more posts related to the same error. Most of them recommend to check this link for permission. Also it is mentioned to use this document to deploy using stable version and try again. Its always recommend not to use beta until you need any beta flag to use that command. Before doing this please make sure you are using current version of Google Cloud SDK. One point is not clear, If you use to deploy the same function in UI that should work using endpoints too.