GCP IAM Auth on Cloud Run - service

Question

I've hosted a service, let it be simple webpage on Cloud Run Service and set security to
"" Require authentication - Manage authorized users with Cloud IAM. ""

Added the approved account to IAM with roles as Cloud Run Invoker (or any other up to admin). When accessing the service via url provided in that cloud run service. It still returns me with:

Error: Forbidden (403) Your client does not have permission to get URL / from this server.

I supposed that this would allow certain accounts to access the service (webpage) securily. Am i missing something or it's not what i thought it

edit: please read main post comments for additional information, thanks!

Answer 1

If you need to expose a website on Cloud Run or App Engine, and you want to secure the access to Google account users, IAP (identity aware proxy) if the right solution for you.

It's an authentication proxy that redirects the user to a Google authentication page if it is not authenticated, checks if the authenticated identity is authorized on your website, and, if so, add all the required information to all access to your protected backend.

IAP for AppEngine is pretty easy to deploy

IAP for Cloud Run requires a Load Balancer ($14 per month of additional cost)

Answer 2

Error: Forbidden (403) Your client does not have permission to get URL / from this server.

The above error you are getting due to By default it might be using only authenticated call. You can change settings to allow unauthenticated call in cloud function trigger settings

• If your business supports it, redeploy your function to accept calls without authentication. This could be helpful in terms of testing.
• Use the authentication credentials in your request header to call your HTTP function. For instance, the following is how to obtain an identity token using gcloud:

Serving permission error because of the configuration set to "allow internal traffic only"

The ability of resources outside of your Google Cloud project or the VPC Service Controls service perimeter to call an HTTP function is restricted by the ingress settings. This error message indicates that only requests from VPC networks within the same project or VPC Service Controls perimeter are allowed when the "allow internal traffic only" parameter for ingress networking is specified.

As per this official doc

See Authenticating for invocation

For Cloud Functions (1st gen), allow public (unauthenticated) access to all users for the specific function. For Cloud Functions (2nd gen) you can do either of the following:Assign the user the Cloud Run Invoker Cloud IAM role for the specific function

From the Google Cloud console:

1. Click the linked name of the function to which you want to grant access.

2. Click the Powered By Cloud Run link in the link in the top right corner of the Function details overview page.

3. Click Trigger and select Allow unauthenticated invocations.

4. Click Save.

Answer 3

This is normal.

If you require IAM authentication for your Cloud Run service, you must include an OAuth 2.0 token (an access token).

On command line, you can achieve this using the curl command as follows:

curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -d '{"key": "value"}' -X POST "https://your-cloud-run-url"

If you wish to access it through a web browser, you'll need a browser extension that allows you to modify your header, like ModHeader. You will need to add the output of gcloud auth print-access-token to the Authorization parameter, prefixing the token with Bearer like this :

Authorization : Bearer [your token]

Finally, ensure that your account has sufficient privileges to invoke the Cloud Run service.

Answer 4

You need to invoke the cloud function using a proper authentication token. You can read more about them here: https://cloud.google.com/run/docs/authenticating/overview#developers