flutterfirebasegoogle-cloud-functionsgoogle-cloud-iam

Cloud Function whit Authentication IAM ERROR 401 (Flutter/Firebase)


I can't secure our cloud functions. The calls fail when I try to call them with HttpsCallable or HttpsCallableFromUrl. It always gives me a 401 ERROR even though the service accounts appear to be configured correctly.

Code Flutter

final result = await firebaseFunctions
          .httpsCallableFromUrl(
            'https://us-central1-NAME_PROJECT.cloudfunctions.net/Prova'
          )
          .call();

Code Cloud Function

const { logger } = require("firebase-functions/v2");
const { initializeApp } = require("firebase-admin/app");
const { getFirestore } = require("firebase-admin/firestore");
const { onCall } = require("firebase-functions/v2/https");



initializeApp();

exports.Prova = onCall(async (data) => {

  try {
    
    return { success: true, message: 'ok' };
       
    
  } catch (error) {
    logger.error(error.message);
    return{ message: 'Error' };
    //res.status(500).send({ message: 'Internal Error' });
  }
});

Log Cloud Function

2024-11-25 18:33:09.832 CET
POST401 0 B 0 ms com.TEAM.NAMEAPP.dev/0.0.18 iPhone/17.4 hw/sim  https://us-central1-NAME_PROJECT.cloudfunctions.net/Prova 
{
httpRequest: {14}
insertId: "6744b4d5000ce64c3251f6a2"
jsonPayload: null
labels: {1}
logName: "projects/NAME_PROJECT/logs/run.googleapis.com%2Frequests"
operation: null
payload: "textPayload"
protoPayload: null
receiveLocation: "us-central1"
receiveTimestamp: "2024-11-25T17:33:09.853205510Z"
resource: {2}
severity: "WARNING"
sourceLocation: null
spanId: "5d2908f5a604aad7"
split: null
textPayload: "The request was not authorized to invoke this service. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#401"
timestamp: "2024-11-25T17:33:09.832156Z"
trace: "projects/NAME_PROJECT/traces/d0f2a1b62b9b9d729cb95b03ad853ca5"
traceSampled: true
}

Log StackTrace

I would like my functions to be private with authentication...


Solution

  • Callable type functions don't ever use IAM to authenticate. They use Firebase Authentication end user accounts, as they are meant to be called directly from your web or mobile app, typically by Firebase end users.

    Firebase Authentication isn't interchangeable with GCP IAM. They are completely different ways of performing authentication. Also, you can't provide IAM credentials with a callable request when using the Firebase SDK to make the request.

    If you must use IAM, then don't bother with a callable function at all - just build a normal HTTP type function. Also beware that including IAM credentials in your web or mobile app would typically be considered a security problem, as you aren't supposed to distribute your service accounts to the public. IAM credentials are only typically used for authenticating backend-to-backend communication.