How I can get access to GCP cloud function from python code using service account?

Question

I've deployed a simple GCP Cloud Function which returns "Hello World!". I need this function to be under authorization. I unmarked "Allow unauthenticated invocations" checkbox, so only authenticated invocations can call this code. I also created Service Account and give next roles: - Cloud Functions Invoker - Cloud Functions Service Agent

my code:

from google.oauth2 import service_account
from google.auth.transport.urllib3 import AuthorizedHttp

if __name__ == '__main__':
    credentials = service_account.Credentials.from_service_account_file('service-account.json',
        scopes=['https://www.googleapis.com/auth/cloud-platform'],
        subject='service-acc@<project_id>.iam.gserviceaccount.com')
    authed_session = AuthorizedHttp(credentials)
    response = authed_session.urlopen('POST', 'https://us-central1-<project_id>.cloudfunctions.net/main')
    print(response.data)

and I've got response:

b'\n<html><head>\n<meta http-equiv="content-type" content="text/html;charset=utf-8">\n<title>401 Unauthorized</title>\n</head>\n<body text=#000000 bgcolor=#ffffff>\n<h1>Error: Unauthorized</h1>\n<h2>Your client does not have permission to the requested URL <code>/main</code>.</h2>\n<h2></h2>\n</body></html>\n'

How to become authorized?

Where are you trying to invoke the function from? There are a number of options depending on your answer: cloud.google.com/functions/docs/securing/authenticating — Dustin Ingram
Your code is generating and sending an OAuth Access Token. You need to generate and send an Identity Token. — John Hanley
The error is because the caller is not authenticated, also I see that the code you are deploying is to generate the Access Token. Usually where the access tokens are generated have public access, what do you want to do? — Soni Sol
Thank you @DustinIngram. I'm trying to invoke it from my local instance. In the future, it will be called by other services. — Voldemort93
@JohnHanley yes, I want to use OAuth token. Because if I'm not mistaken I need to generate Identity Token each time when I want to invoke function due to it's changed. I was hoping that OAuth will do it automatically. — Voldemort93

John Hanley John Hanley · Accepted Answer · 2020-02-17T01:17:10

Your example code is generating an access token. Below is a real example that generates an identity token and uses that token to call a Cloud Functions endpoint. The Function needs to have the Cloud Function Invoker role for the service account being used for authorization.

import json
import base64
import requests

import google.auth.transport.requests
from google.oauth2.service_account import IDTokenCredentials

# The service account JSON key file to use to create the Identity Token
sa_filename = 'service-account.json'

# Endpoint to call
endpoint = 'https://us-east1-replace_with_project_id.cloudfunctions.net/main'

# The audience that this ID token is intended for (example Google Cloud Functions service URL)
aud = 'https://us-east1-replace_with_project_id.cloudfunctions.net/main'

def invoke_endpoint(url, id_token):
    headers = {'Authorization': 'Bearer ' + id_token}

    r = requests.get(url, headers=headers)

    if r.status_code != 200:
        print('Calling endpoint failed')
        print('HTTP Status Code:', r.status_code)
        print(r.content)
        return None

    return r.content.decode('utf-8')

if __name__ == '__main__':
    credentials = IDTokenCredentials.from_service_account_file(
            sa_filename,
            target_audience=aud)

    request = google.auth.transport.requests.Request()

    credentials.refresh(request)

    # This is debug code to show how to decode Identity Token
    # print('Decoded Identity Token:')
    # print_jwt(credentials.token.encode())

    response = invoke_endpoint(endpoint, credentials.token)

    if response is not None:
        print(response)

How I can get access to GCP cloud function from python code using service account?

2 Answers