Google HTTP Cloud Function returns 403 - google-cloud-functions

I use serverless framework to manage my cloud functions. Some of them are of HTTP type. Recently, all the HTTP functions started to fail with 403 error. No matter if you enter a URL in a browser or trigger it with the cloud scheduler. The only place where it works is the testing tab of the function in the cloud console, when you click the "Test the function" button.

So, I did not find the reason for the error but it fixed with removing the function and redeploying it.
serverless remove
serverless deploy

Is it possible that the Identity Aware Proxy has been enabled for the Cloud Function URLs? If you navigate to Cloud Console and then to "Security" and "Identity-Aware Proxy", you should be able to see the IAP settings and whether the Cloud Function is being protected by IAP.
If that is not the cause, I would advise putting some logging in your function that would make it clear whether the function is getting called and then returning a 403 somewhere within the execution of the function (indicating a problem with the function, itself, rather than the identity infrastructure) or if the function is never getting called (the 403 is being produced outside of the Cloud Function), in which case you may need to reach out to Cloud Support for help with this (if IAP isn't the cause).

Google Cloud Functions added some new IAM functionality, not sure how recently, and now new functions don’t have public access by default.
Incase someone else comes here I thought I'd share this information here.
To allow your function to be invoked you first have to add permissions to the function, you can do this by selecting the function in the functions list and adding allUsers to the Cloud Invokes role, you can see the step by step at:
https://lukestoolkit.blogspot.com/2020/06/google-cloud-functions-error-forbidden.html

Related

Unable to authenticate HTTP function call from Google Cloud Scheduler

I have created an HTTP Google Cloud Function that does not allow unauthenticated requests.
I have created a service account in the project with one role: Cloud Functions Invoker.
This service account is listed as a principal for my http cloud function and shows to have that role:
I have created a Cloud Scheduler Job to run this function.
In the job, I've specified that I want it to obtain an OIDC token for authenticating requests to the http function:
Whenever I trigger the job, it fails with a message indicating the request is unauthenticated:
Things I've tried:
Recreate the function
Recreate the job
Use a different user (the main service account user - that one doesn't work either)
Do a POST instead of a GET from the scheduler job (I've successfully created scheduled jobs for authenticated http functions before but this is the first time I've done a GET - just grasping at straws really)
Did I miss something? Any idea why it is coming back with the "Unauthenticated" message?
I revisited this today. My IAP protected HTTP function is expecting a query string parameter to be passed into it. The Cloud Platform Web UI automatically sets the audience to the same URL (including the parameter) when creating the Scheduled Job. I figured Google knows what they are doing, so I left it that way originally.
Out of desperation I tried removing this parameter from the audience and that made the authentication work properly.
So, I changed the audience from
https://<myProject>.cloudfunctions.net/myFunction?p=abc
to
https://<myProject>.cloudfunctions.net/myFunction

Why is there no IAM role specific to calling a GCP function?

If I look at https://cloud.google.com/functions/docs/reference/iam/roles#standard-roles I see:
roles/cloudfunctions.admin
roles/cloudfunctions.developer
roles/cloudfunctions.viewer
roles/cloudfunctions.invoker
The latter contains only one permission, cloudfunctions.functions.invoke
We are using Google Cloud Workflows to call our cloud function and its currently failing with error:
"error": {
"code": 403,
"message": "Permission 'cloudfunctions.functions.call' denied on resource 'projects/redacted/locations/europe-west2/functions/funcname' (or resource may not exist).",
"status": "PERMISSION_DENIED"
}
I surprised me that given there is a roles/cloudfunctions.invoker role that is no roles/cloudfunctions.caller that includes cloudfunctions.functions.call. roles/cloudfunctions.developer includes that permission but many other things as well Why is there no such role?
And yes, I know I can create a custom role, would just be nice if I didn't have to.
As I understand the Cloud Functions IAM Permissions:
cloudfunctions.functions.call => Call the callFunction API.
cloudfunctions.functions.invoke => Invoke an HTTP function via its public URL.
You mentioned that "We are using Google Cloud Workflows to call our cloud function"... Not sure, but probably you are about this method - projects.locations.functions.call. It is stated on that page: "To be used for testing purposes as very limited traffic is allowed."
I don't know all details of your context and requirements, but can you invoke the cloud function using its URL?
Extra info
You cannot increase the CALL quota. Insufficient quota generally occurs if you mistakenly use this API to invoke your functions in production. Please keep in mind that this API is meant for testing via Cloud Console or ' gcloud functions call CLI, and it cannot handle heavy traffic.
https://cloud.google.com/functions/quotas#rate_limits

unable to test google assistant action on web simulator (Error Cloud function deployment failed. Dismiss)

Hey Respected Community!
I started learning to create google actions.
so i created very basic google action. which invokes by 'hey google talk to Doctor Strange'
and after adding 1 more transition which displays suggestion. I saved it and trying to test it.
but continously getting error.
cloud function deployment failed.
i am continously trying to test it but getting error.
Can anyone help me what i am missing?
thanks in advance
As you surmise in your comments, using the Inline Editor for the webhook fulfillment requires you to have billing enabled for the cloud project it is attached to. (This is because it uses Cloud Functions for Firebase under the hood, and this requires billing to be enabled, even if you limit yourself to the free tier.)
You don't need to use the Inline Editor, or even Google Cloud Functions, for your webhook. All you need is a public HTTPS server that can accept and respond with JSON.

What is the correct Permission to give GCP Cloud Function (CF) so that it's callable ONLY from another CF?

I need one cloud function (CF) to invoke another CF that is protected. Protected meaning it can only be invoked by other CFs but not from Internet.
Protected CF:
I disabled the "Allow unauthenticated invocations" when creating this.
I now need to give this function the correct Role and Permission so that it can be accessed from other CFs.
I have tried almost all options but keep getting 403 from the invoker.
Any ideas? Thanks!
You can specify that a receiving function accepts requests from other functions by granting the Cloud Functions Invoker role to the calling function identity. More info on this here.
Cloud Functions run under a specific identity, given by the service account they run under. By default, this service account is the same as for App Engine, PROJECT_ID#appspot.gserviceaccount.com. So by giving the invoker role to this service account, you'll allow all your other functions to call this function. You may want to give a different identity/service account to each of your functions to specify access permissions in a more granular way. More info on this here.

Using a cloud function with Pub/Sub

I created a simple cloud function from a template and it got assigned a url as a trigger https://us-central1-myapp-dev.cloudfunctions.net/naguib-testing
Then I created a Pub/Sub Topic and tried to subscribe that url to it but I got an INVALID_ARGUMENT error appear on the console screen.
I went through a similar SO question where the solution is to verify that I own the domain I am trying to connect to, but I don't own cloudfunctions.net :/
I can't understand how that's not supposed to work or what should I be doing?
Cloud Functions can be created as HTTP functions (as you did) or as Background functions. The latter is automatically invoked via a message on a Google Cloud Pub/Sub topic for example. I believe this is exactly what you'd need here.
However, if for some reason you do prefer to use your HTTP function as Pub/Sub push endpoint, you may be interested in this SO answer, where the site verification is done via an HTML tag.