Getting 403 Forbidden on Google Cloud Run with API key

Question

I have set up a very simple Node application with Express on Google Cloud Run.

It works great, but when I set it up with "Allow unauthenticated invocations to [service] (y/N)?" to No, I get a 403 Forbidden even though I created an API key and I'm making the calls adding key=[My API key] in the query string, as told in the documentation. My URL ends up looking like https://service-wodkdj77sba-ew.a.run.app?key=[My API key].

I've tried with restricted (for Google Cloud Run) and unrestricted API keys.

Is there anything I'm missing?

Answer 1

Cloud Run, like many product in GCP, doesn't support API Key authorization. As detailed in your provided link, only a subset of service use API KEY. It's also mentioned :

API keys do not identify the user or the application making the API request, so you can't restrict access to specific users or service accounts.

Where Cloud Run authentication section specify this here

All Cloud Run services are deployed privately by default, which means that they can't be accessed without providing authentication credentials in the request.

By the way, the Cloud Run expectation and the API Key capabilities aren't compatible.

However, if you want to access to your Cloud Run private service with API Key a workaround exist. You can deploy an Extensible Service Proxy (ESP) on another Cloud Run service. In it, authenticate the API Key and, if it's valid, call the Cloud Run private service with the ServiceAccount of your ESP (which must have roles/run.invoke role).