403 Response from Google Cloud Functions

17
votes

I'm receiving the following error when trying to execute a Cloud Function endpoint from the web:

<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 403 (Forbidden)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5pxno-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
  </style>
  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  <p><b>403.</b> <ins>That’s an error.</ins>
  <p>Access is forbidden.  <ins>That’s all we know.</ins>

I followed this tutorial: https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/functions/helloworld/main.py

When calling the function as noted here: https://cloud.google.com/functions/docs/writing/http, I receive a 403 error. I'm logged into the gcloud project and using the correct user.

Deploy command:

gcloud beta functions deploy hello_get --runtime python37 --trigger-http

From this doc: https://cloud.google.com/functions/docs/concepts/python-runtime

Called it with this command: curl -X POST https://<REGION-PROJECT_ID>.cloudfunctions.net/hello_get

From this doc: https://cloud.google.com/functions/docs/writing/http

It's odd because this started happening about 3 weeks ago. Old functions stopped working and return a 403 response. I deployed the sample function in the UI and it only works when deploying from the UI but fails with a 403 when going to the endpoint via an http request.

Also, the function successfully executes when using the command: gcloud functions call hello_get

Was there a change in GCF auth over the last couple of weeks?

UPDATE I was able to identify the issue. The project I was on and user was in a beta auth program. After switching to a user and project not in the program, I was able to access the endpoint.

Thank you for the help.

2
google-cloud-platformgoogle-cloud-functions
The issue isn't due to authentication. Cloud Functions aren't authenticated by default and are available to any caller. Your issue lies elsewhere but it's not clear to me from your summary where this could be. Does the same Function (with repeated calls) continue to return 403s? When you deploy using the UI, is it to the same project? This is particularly curious as it validates the project is enabled, billing is enabled and that the function is deployed so it's curious that calling via curl would not work. Have you checked the logs? Minor point: POST works but this is probably a GET.DazWilkin

2 Answers

32
votes

It seems to me that additional IAM functionality was added to Google Cloud Functions, and as a result, you may have not turned on allUser access to the function (FYI this give acess to the whole web).

  1. On the Cloud Functions homepage, highlight the Cloud Function you want to add all access to.

  2. Click "Show Info Panel" on the top right.

  3. Click "Add Members" and type "allUsers" then select "Cloud Function Invokers" under "Cloud Function" in the Role box.

  4. Click "Save"

-1
votes

I went through some more posts related to the same error. Most of them recommend to check this link for permission. Also it is mentioned to use this document to deploy using stable version and try again. Its always recommend not to use beta until you need any beta flag to use that command. Before doing this please make sure you are using current version of Google Cloud SDK. One point is not clear, If you use to deploy the same function in UI that should work using endpoints too.