How do I trigger HTTP Google Cloud Functions that are private?

Question

I have a set of functions that call each other and if I set them to internal traffic only and attempt to call them via URL I get a 403 response. If I set them to ALLOW_ALL traffic, I am able to execute them by calling them from a sibling function.

This is how I'm attempting to call the function from the sibling function (python):

    functionURL = os.environ.get("FUNCTION_URL", "")
    metadata_server_url = "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience="
    token_full_url = metadata_server_url + functionURL
    token_headers = {"Metadata-Flavor": "Google"}

    # Fetch the token
    token_response = requests.get(token_full_url, headers=token_headers)
    jwt = token_response.text

    # Provide the token in the request to the receiving function
    function_headers = {"Authorization": f"bearer {jwt}"}

    r = requests.post(functionURL, json=jsonData, headers=function_headers)

Is there a way to call functions internally when their ingress setting is "Allow internal and GCLB only"?

Answer 1

In your case, you have 2 solutions:

• Either use a serverless VPC connector on the function that perform the call, and route all the egress traffic to the VPC connector. Like that, the request pass through your VPC and is accepted by your private Cloud Function
• Or deploy a Load Balancer in front of your Private Cloud Functions (because your private cloud functions also accept connection from Google Load Balancer), and call directly the Load balancer. But this Load Balancer will have a public IP and I'm not sure that is what you want.

You can also set an "allow all" that already work on your private function. This function is protected by IAM service (because you need to set a JWT Bearer token) and thus, public or private is the token is missing, invalid or unauthorised, your Cloud Functions is protected!