I'm calling a private http Cloud Function using the google-auth-library in Node.js. This works locally both when authenticated as myself and when impersonating the Cloud Run service account. However, when I deploy this to Cloud Run I get 401 responses on all of these calls.
I cannot figure out why this is. The Cloud Run instance uses the same service account that I had impersonated locally so permissions should not be an issue. Any ideas on what the problem is?
For some extra information, the Cloud Run instance is using a Serverless VPC Access connector for all outbound traffic. I've read that this could be a potential cause, but none of the solutions I've tried surrounding this have helped.
Below is the basic structure of my code.
import { GoogleAuth } from 'google-auth-library';
async function callCloudFunction() {
const functionUrl = 'https://REGION-PROJECT_ID.cloudfunctions.net/FUNCTION_NAME';
const auth = new GoogleAuth();
const client = await auth.getIdTokenClient(functionUrl);
const token = await client.getRequestHeaders();
const res = await fetch(functionUrl, {
method: 'GET',
headers: token
});
const data = await res.json();
return data
}
I wanted to post what solved my issue. The root cause was because my Cloud Function call had an extended route and parameters associated with it, which was causing issues when getting the client with getIdTokenClient.
I was originally calling getIdTokenClient('https://REGION-PROJECT_ID.cloudfunctions.net/FUNCTION_NAME/ROUTE?PARAMETER=ARGUMENT') with the extended route and parameters included. Instead, I should not have been including the extended route and parameters, only the actual function URL. So it would look something like this instead getIdTokenClient('https://REGION-PROJECT_ID.cloudfunctions.net/FUNCTION_NAME').
I'm not sure why it was working locally for me, maybe some other authentication settings were conflicting with the code.
I've provided some updated code below that is working when deployed to Cloud Run. A similar update would work for the code that @guillaumeblaquiere provided.
import { GoogleAuth } from 'google-auth-library';
async function callCloudFunction() {
const functionUrl = 'https://REGION-PROJECT_ID.cloudfunctions.net/FUNCTION_NAME';
const functionRoute = '/ROUTE?PARAMETER=ARGUMENT';
const auth = new GoogleAuth();
const client = await auth.getIdTokenClient(functionUrl);
const token = await client.getRequestHeaders();
const res = await fetch(functionUrl + functionRoute, {
method: 'GET',
headers: token
});
const data = await res.json();
return data
}
I appreciate the responses from everyone who provided potential solutions.