I recently switched to google cloud functions gen 2 and am having an issue with authentication via API Gateway. I have the new cloud function being called by my gateway with the function itself not allowing unauthorized users. The gateway has a service account attached to it with the cloud functions invoker role (and owner role since I'm troubleshooting).
The error message in the cloud function log is
The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#unauthorized-client
I have a test function with the same code that uses cloud functions gen 1 and does not allow unauthenticated users. This function works great when you hit my api gateway. I also have a cloud function gen 2 that does allow unauthenticated users and that also works as expected when hitting the gateway, it's just my gen 2 that doesn't allow unauthenticated users.
For my API gateway yaml file, this is what the file looks like (with sensitive information XXX'd out),
swagger: "2.0"
info:
title: XXXXXXXX api gateway for carson blade analytics app
description: Sample API on API Gateway with a Google Cloud Functions backend
version: 1.0.0
schemes:
- https
produces:
- application/json
paths:
/convert_csv:
get:
summary: Converts an XLSX file to a CSV file
operationId: convert
x-google-backend:
address: https://convert-csv-XXXXX-ue.a.run.app
responses:
"200":
description: A successful response
schema:
type: string
When I hit the unauthenticated allowed one and look at it's headers, I see
{
"aud": "https://convert-csv-XXXXX-ue.a.run.app/",
"azp": "XXXX",
"email": "XXX@XXX.iam.gserviceaccount.com",
"email_verified": true,
"exp": 1660101164,
"iat": 1660097564,
"iss": "https://accounts.google.com",
"sub": "XXXXX"
}
with the email being the email that is associated with the service account that has the correct cloud function invoker role and the aud being the same address as the address in the cloud api yaml. So it's replacing the authentication header that I'm sending in with its service account one as expected. I've tried reading all the documentation and have tried a bunch of different yaml configurations, but I just can't figure this out.
To summarize, With each one being attached to a cloud api gateway and hitting the endpoint from postman, gen 2 with allow unauthenticated turned off -> doesn't work. gen 2 with allow unauthenticated turned on -> works. gen 1 with allow unauthenticated turned off -> works
Any help would be extremely appreciated, thanks.
Cloud Functions 2nd gen is a wrapper on top of Cloud Run. Many times, the 2 products are entangled.
It's absolutely not clear, and from the beginning in the Alpha version. Despite my remarks to the PM and engineering team, the product has been publicly released and now there are a lot of mistakes and confusions because of this lack of clear separation. Too bad :(