Reputation: 85
Getting 403 when connecting to a Cloud Run service when using a Serverless VPC Connector
I have a service on Cloud Run (Service A) who is trying to call another service on Cloud Run (Service B). Both the services are in us-east1. For Service B, Ingress is set to 'Allow internal traffic only' and Authentication is set to 'Allow unauthenticated invocations.
I created a Serverless VPC Connector in the same region as the services and set the IP address range to 10.8.0.0/28.
I then connected Service A to the connector mentioned above and set 'Route only requests to private IPs through the VPC connector'.
I seem to be getting a 403 when attempting to hit the service. Has anyone had this issue? If so, how did you solve this problem?
Upvotes: 4
Views: 1868
Answers (4)
Reputation: 1581
I was able to fix this issue. This must be used when you have to use authenticated user to access cloud run application
Accessing Authenticated Cloud Run applications using IAP
Upvotes: 0
Reputation: 54
It means that your client is not authorized to invoke this service. You can address this by taking one of the following actions:
- If the service is meant to be invocable by anyone, update its IAM settings to make the service public.
- If the service is meant to be invocable only by certain identities, make sure that you invoke it
Please find the link that might help in troubleshooting this error.
Upvotes: -1
Reputation: 404
I am guessing that the code 403 you are getting it from the cloud run service and that is a problem with the authentication, so to solve that error code you could follow this link, there you will find a detail explanation of how authenticated users for you services.
Upvotes: 0
Reputation: 75970
You need to set the egress to All, to route all the traffic to the serverless VPC connector.
Indeed, even if you set the service B to internal egress, the Cloud Run service is still exposed publicly, but an additional check is performed on the requests that come in to validate the traffic origin (comes from your VPC or not).
In your case, in the service A, with the private range only egress, you route only the traffic going to private IP, and it's not the case of the always-publicly-exposed "internal" service B.
Upvotes: 4
Related Questions
- Serverless VPC access connector is in a bad shape
- Using VPC connector in Cloud Run
- Permission issue in connecting a serverless VPC connector to Cloud Run in host project
- Cloud Run service to service call getting 403 when VPC Accessor Enabled with "Route only requests to private IPs through the VPC connector" option
- Google Cloud Functions with VPC Serverless Connector Egress with Cloud NAT not working
- Unable to create a serverless vpc access connector in Google Cloud asia-south1 (Mumbai) region
- Cloud Run error: VPC connector "connector" is not ready yet or does not exist
- Cloud functions refuse to access my serverless vpc connector in my shared VPC, why?
- Cannot create Google Cloud Serverless VPC Connector using default parameters
- Not able to use Serverless VPC Access for Cloud Run and Compute Engine