Google Cloud Functions Deploy “allow unauthenticated invocations…”

9
votes

Whenever I have to deploy a new python function using the gcloud sdk I get this message

Allow unauthenticated invocations of new function [function-name]?

(y/N)?

WARNING: Function created with limited-access IAM policy. To enable unauthorized access consider

"gcloud alpha functions add-iam-policy-binding function-name --region=europe-west1 --member=allUsers --role=roles/cloudfunctions.invoker"

Is there any flag I can add to the command to make it a NO when deploying?

This is a sample command I use to deploy one function:

gcloud functions deploy function-name --region=europe-west1 --entry-point function-entry-point --trigger-resource "projects/my-project/databases/(default)/documents/user_ids/{user_id}" --trigger-event providers/cloud.firestore/eventTypes/document.create --runtime python37 --timeout 60 --project my-project
2
pythongoogle-cloud-platformgoogle-cloud-functionsgcloudgcloud-python
What happens if you specify a service account with the --service-account flag?McKay M
Added the full warning message that suggest using gcloud alpha. There is: cloud.google.com/sdk/gcloud/reference/functions/…, but the thing is that I do not want to allow unauthenticated calls. How do you suggest to use --service-accountRacu
Specify a service account to gain access to the cloud function. Maybe that error is thrown if you give no information about permissions. I was reading the comments on this thread: stackoverflow.com/questions/57122047/…McKay M
That's the same question I have. But the thing is that I do not want to set any IAM policy other than not access to unauthorized access by using the deploy command, I already tried the beta and alpha as suggested there but still is asking me for IAM policy. I'm looking for a flag to add to the deploy command.Racu
What is your use case?McKay M

2 Answers

5
votes

From https://cloud.google.com/sdk/docs/scripting-gcloud#disabling_prompts:

You can disable prompts from gcloud CLI commands by setting the disable_prompts property in your configuration to True or by using the global --quiet or -q flag.

So for your example, you could run:

gcloud functions deploy function-name --quiet --region=europe-west1 --entry-point function-entry-point --trigger-resource "projects/my-project/databases/(default)/documents/user_ids/{user_id}" --trigger-event providers/cloud.firestore/eventTypes/document.create --runtime python37 --timeout 60 --project my-project
1
votes
  1. Select the service
  2. Click Show Info Panel to display the Permissions tab.
  3. In the Add members field, allUsers
  4. Select the Cloud Run Invoker from roles
  5. Add

or

 gcloud run deploy [SERVICE_NAME] --allow-unauthenticated

 gcloud run services add-iam-policy-binding [SERVICE_NAME] \
    --member="allUsers" \
    --role="roles/run.invoker"