I created a service account email and added cloudfunctions.invoker role to the email so I can make sure only cloud tasks can trigger cloud functions, and I removed AllUsers role. But when cloud tasks tried to run cloud function, the status code is UNAUTHENTICATED(16): HTTP status code 401 and execution failed.
My current code and console is like this.
index.ts
export const addTasks = functions.https.onCall((data, context) => {
if (!context.auth) {
throw new functions.https.HttpsError('failed-precondition', 'You are not authenticated.')
}
const client = new tasks.CloudTasksClient()
const projectId = functions.config().project.id
const queue = 'queue'
const location = functions.config().project.location
const parent = client.queuePath(projectId, location, queue)
const url = `https://${location}-${projectId}.cloudfunctions.net/executeSomething`
const serviceAccountEmail = functions.config().project.email
const task: tasks.protos.google.cloud.tasks.v2.ITask = {
httpRequest: {
httpMethod: 'POST',
url: url,
oidcToken: {
serviceAccountEmail: serviceAccountEmail,
},
},
scheduleTime: {
seconds: ...,
},
}
const request: tasks.protos.google.cloud.tasks.v2.ICreateTaskRequest = {
parent: parent,
task: task,
}
return client.createTask(request)
}
My cloud function's console
I added the cloud functions invoker role to the service account email.
My firebase project environment variables
When I added AllUsers role to cloud functions, it works as expected so I am sure I made a mistake when resrticting access. What am I missing?
Update:
My cloud tasks console
serviceAccountEmailaround quotes. Could you try using"service_account_email": service_account_emailand check if it fixes the issue? - Rafael Lemos