skip to Main Content

i recently created a simple cloud function in firebase to get http responses from an endpoint.
But every time i make a request, i’m getting a 401 with the message "The request was not authorized to invoke this service"

I was following this steps to make my function public:

  1. Go to Cloud run,
  2. Check the box next to your function,
  3. Click the button "PERMISSION",
  4. In the side bar, click on "ADD PRINCIPAL"
  5. Write "allUsers" and give them "cloud run invoker" permission.

But in the last step, i got this message

enter image description here

IAM policy update failed
Invalid state ‘projects/*********/locations/us-central1/functions/#####’: The operation failed with precondition error. This is usually because the system is not in a state required for the operation’s execution

Then i tried this:

  1. Go to the Google Cloud console
  2. Click the linked name of the function to which you want to grant access.
  3. Click the Powered By Cloud Run link in the top right corner of the Function details overview page.
  4. Click Trigger and select Allow unauthenticated invocations.
  5. Click Save.

and i got a similar message related to IAM/Policies

enter image description here

The ‘Domain Restricted Sharing’ organization policy (constraints/iam.allowedPolicyMemberDomains) is enforced. Only principals in allowed domains can be added as principals in the policy. Correct the principal emails and try again

I’m using the admin account to do all this, but for some reason I don’t have any access to the IAM nor do I have any access to modify the organization’s policies.

enter image description here

2

Answers


  1. You need to follow the documentation here: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#console

    All you need to do is just go into your Organization Policies and then set the domain restricted sharing to "allow all". Once you do that you should be able to set your firebase functions to public with the allUsers Cloud Function Invoker rule. After that you can put your domain or workspace user id back in the custom allow for the domain restricted sharing organization policy. Good luck.

    Login or Signup to reply.
  2. It seems that the permissions of a V2 function cannot be updated with the common add-iam-policy-binding command. Instead of using „Cloud Run functions“ (which sounded plausible to me, too), you have to go the „Cloud Run“ section.

    https://console.cloud.google.com/run/

    There,

    • click on the checkbox besides the name of your function
    • then on the tab Permissions
      –> A new „window" should appear on the right side of the screen.

    .

    • click on the button ADD PRINCIPAL in this new window –>
      A new „window“ appears

    • type allUsers in the field New Principals

    • type Cloud Run Invoker in the field Role

    • click on the button SAVE

    That should do it. Your function is now public. With all associated risks.

    Alternatively you can go to the console, select your project and do

    gcloud functions add-invoker-policy-binding <YOUR FUNCTION NAME> 
      --region="<YOUR REGION>" 
      --member=„allUsers"
    

    I am not sure, maybe you have to add domain restricted sharing first, as user geobasket suggested.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search