Calling Cloud Function from Compute Engine

1
votes

I am trying to call a HTTP triggered Cloud Function from a node server running on an instance of Compute Engine. I have set the Compute Engine's service account as invoker of the said function and both the function as the compute engine instance are operating on the same VPC network. Yet, I am getting the default 403 Forbidden error every time I try to call the function from my node server. If I, however, set the rules of invocation in the Cloud Function to "allUsers" the call is made successfully.

Edit: I am running the node server on a docker container.

Any ideas on what is happening?

Thanks a lot in advance.

Edit (solution):

So the solution that I was looking for is explained here. Even though the sample code for which the above link points to might help someone, I found it more useful to follow this guide (Service Account JSON certificate) which points to code one can use to get the OIDC token necessary to provide in the request to the function (just remember that the audience when creating the token must be set to the function's url).

Having the aforementioned OIDC token, one can call the cloud function using a normal HTTP request simply by passing the header Authorization in the following format: Authorization: Bearer {OIDC token}.

Feel free to post any questions regarding this, I will try to answer all. Thanks again to petomalina for pointing in the right direction.

1
google-cloud-platformgoogle-cloud-functionsgoogle-compute-engine
Can you please add the name of the service account (postfix after @ is what we need to see) and make sure you are adding the functions invoker to the service account used by the compute engine instance?petomalina
Thanks for your answer petomalina. I am using the account that ends with @developer.gserviceaccount.com and that account has been granted with the role of cloud function invoker. Also, it has been setup as cloud function invoker member in the cloud function I am referring to.Pedromlm
The default compute engine service account is [PROJECT_NUMBER][email protected]. Can you please check if your compute instance isn't using this service account instead of the developer one? You may need to add the invoker role to this service account.petomalina
[PROJECT_NUMBER][email protected] is the account being used by the compute engine instance. This account has also been granted the role of cloud functions invoker in the project and has been added as a cloud function invoker member on the cloud function I wish to call. Not sure I am answering your question!Pedromlm
One common mistake is that users usually give the "cloudfunctions.invoker" role to a service account but it also needs the "iam.serviceAccounts.actAs" role.. Also please check Google documentation for Troubleshooting permission errors.tzovourn

1 Answers

1
votes

You will need a self-signed JWT in case you are invoking both, Function-to-Function, or Service-to-Function, e.g. from a compute instance that doesn't have access to the compute metadata.

Please see this doc for Service-to-Function: https://cloud.google.com/functions/docs/securing/authenticating#service-to-function

There is also an example on programmatic authentication here: https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_service_account