Cloud Tasks cannot invoke Cloud Function using deterministic URL

Question

Cloud Function gen2 now supports two types of HTTP URLS:

• Deterministic: https://REGION-PROJECT_ID.cloudfunctions.net/FUNCTION_NAME
• Non-Deterministic: https://FUNCTION_NAME-RANDOM_HASH-REGION.a.run.app

With non-deterministic URLs, you can simply create a Cloud Task that authenticates with the function, using the following OIDC configuration:

task: {
  httpRequest: {
    url: "https://FUNCTION_NAME-RANDOM_HASH-REGION.a.run.app/something",
    httpMethod: "POST",
    oidcToken: {
      serviceAccountEmail: "my-function-invoker@my-project.iam.gserviceaccount.com",
    },
    ...
}

However, if you switch the url to the deterministic variant, the resulting Cloud Task will no longer be able to invoke the Cloud Function and will fail with unaUTHENTICATED(16): HTTP status code 401.

Answer 1

oidcToken also has an audience field:

audience

string

Audience to be used when generating OIDC token. If not specified, the URI specified in target will be used.

While the @google-cloud/tasks NodeJS client (or Google API) can correctly derive the audience for non-deterministic URLs, this does not seem to be the case for deterministic ones.

You have to explicitly define the audience.

task: {
  httpRequest: {
    url: "https://REGION-PROJECT_ID.cloudfunctions.net/FUNCTION_NAME/something",
    httpMethod: "POST",
    oidcToken: {
      serviceAccountEmail: "my-function-invoker@my-project.iam.gserviceaccount.com",
      audience: "https://REGION-PROJECT_ID.cloudfunctions.net/FUNCTION_NAME"
    },
    ...
}

Also, please note that if your URL has additional sub-paths (e.g. /something above), it has to be removed for audience.