Google Cloud Function not created with Private access

3
votes

I'm creating Google Cloud HTTP Function using my python script as follows:

gcloud beta functions deploy " + function_name + " --runtime go111 --trigger-http --memory 128 --region " + cloud_region + " --source " + function_path + " --service-account " + my_service_account

Allow unauthenticated invocations of new function [ExecuteFunctionTest]? (y/N)? N

WARNING: Function created with default IAM policy. To enable unauthorized access consider "gcloud alpha functions add-iam-policy-binding function_name --region=us-central1 --member=allUsers --role=roles/cloudfunctions.invoker"

Then when I do:

gcloud beta functions get-iam-policy function_name

I get the following output:

bindings:
- members:
  - allUsers
  role: roles/cloudfunctions.invoker
etag: BwWOGyVdpDg=
version: 1

Why is 'allUsers' a member here?

The documentation https://cloud.google.com/functions/docs/securing/authenticating and https://cloud.google.com/functions/docs/securing/managing-access says that:

all Cloud Functions are deployed privately, which means that they can't be accessed without providing authentication credentials in the request.

By default, HTTP Functions are only callable by project owners, editors, and Cloud Functions Admins and Developers.

But I'm able to access the Cloud Function URL using a simple curl command or Postman client without any credentials from outside the project.

What could be causing the Cloud Function to have the 'allUsers' member and be Publicly accessible?

3
google-cloud-platformgoogle-cloud-functions
Side question : have you find a way to automate and say "N" to this question. I don't see commandline flags that can do thatThomas
@Thomas I did not find automated way to say Nuser5155835
I got the solution from the google dev mailing list : For boolean flags, you can use --no-flag-name as the opposite of --flag-name. In this case, you should be able to use --no-allow-unauthenticated. See cloud/sdk/gcloud/reference/topic/command-conventions. (Credit: Chris Gerber)Thomas
As per my understanding, after you deploy the Cloud Function you can invoke it without providing any token, right? Could you provide more detail of how you are invoking the Cloud Function? The -allUsers role: roles/cloudfunctions.invoker, means that any user with the role cloudfunctions.invoker is able to invoke the CF, but it doesn’t mean that it is public without restrictions.Enrique Del Valle

3 Answers

1
votes

You can set access with the next command

https://cloud.google.com/sdk/gcloud/reference/alpha/functions/add-iam-policy-binding

and remove allUsers with the next one

https://cloud.google.com/sdk/gcloud/reference/alpha/functions/remove-iam-policy-binding

example: gcloud alpha functions add-iam-policy-binding function_name --region=us-central1 --member=user:[email protected] --role=roles/cloudfunctions.invoker

gcloud alpha functions remove-iam-policy-binding function_name --region=us-central1 --member=allUsers --role=roles/cloudfunctions.invoker

0
votes

The new IAM features are part of the beta command set. You are using the general availability deployment (GA) commands. Delete your function, then use gcloud beta functions deploy ...

0
votes

The allUsers permission on http functions is default behavior. You can (and maybe should!) remove iam permissions with:

gcloud alpha functions remove-iam-policy-binding ...

This default behavior for HTTP functions will change after November 1, 2019. Currently, new HTTP functions allow unauthenticated invocation by default. New HTTP functions created after November 1, 2019 will require authentication by default. You can specify whether a function allows unauthenticated invocation at or after deployment.

Source