3

I am creating a CICD pipeline, via GitHub and Google Cloud Build, using the following .yaml file:

# Cloud Function specifications
steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args:
  - functions
  - deploy
  - hello_world
  - --source=./src
  - --trigger-http
  - --memory=1024MB
  - --max-instances=5
  - --runtime=python39
  - --region=europe-west6
  - --entry-point=predict
  - --allow-unauthenticated

Everything works fine and the function deploys correctly; however, whenever I try to call it, the following error is thrown:

<head>
    <meta http-equiv="content-type" content="text/html;charset=utf-8">
    <title>401 Unauthorized</title>
</head>

It seems like the --allow-unauthenticated parameter isn't working properly. How can I expose the API and give public access?

Predict function allows unauthenticated, hello_world doesn't

Note:

if I run gcloud functions describe --project=XXXXXX --region=europe-west6 hello_world

I get:

availableMemoryMb: 1024
buildId: 1234
entryPoint: predict
environmentVariables:
  ABC: '"discount"'
httpsTrigger:
  securityLevel: SECURE_OPTIONAL
  url: https://europe-west6-XXX.cloudfunctions.net/hello_world
ingressSettings: ALLOW_ALL
labels:
  deployment-tool: cli-gcloud
maxInstances: 5
name: projects/XXX/locations/europe-west6/functions/hello_world
runtime: python39
serviceAccountEmail: XXX@appspot.gserviceaccount.com
sourceUploadUrl: https://storage.googleapis.com/gcf-upload-europe-west6XXX
status: ACTIVE
timeout: 60s
updateTime: '2021-06-10T17:09:55.950Z'
versionId: '2'
Alessandro Ceccarelli
  • 1,775
  • 5
  • 21
  • 41
  • what happens when you run: "gcloud functions describe --project=XXXXXX --region=europe-west6 hello_world"? where XXXXXX is the target project id – al-dann Jun 10 '21 at 17:33
  • Please, check the edit @al-dann – Alessandro Ceccarelli Jun 10 '21 at 19:36
  • I can only speculate based on documnetation: https://cloud.google.com/functions/docs/securing/managing-access-iam#allowing_unauthenticated_http_function_invocation => "Subsequent deployments of the same function do not change its status..." however it is not obvious if it is applicable to your case. Personally I would try https://cloud.google.com/functions/docs/securing/managing-access-iam#after_deployment to see if that can help – al-dann Jun 10 '21 at 20:44
  • Use of the --allow-unauthenticated flag modifies IAM permissions. To ensure that unauthorized developers cannot modify function permissions, the user or service that is deploying the function must have the cloudfunctions.functions.setIamPolicy permission. This permission is included in both the Owner and Cloud Functions Admin roles. Thus, as soon as Function Admin role is granted to the Cloud Build Service Account, everythin works; if you answer I'll happily accept that. Thanks – Alessandro Ceccarelli Jun 11 '21 at 08:47

2 Answers2

6

Use of the --allow-unauthenticated flag modifies IAM permissions.

To ensure that unauthorized developers cannot modify function permissions, the user or service that is deploying the function must have the cloudfunctions.functions.setIamPolicy permission (as noted here).

This aforementioned permission is included in both Owner and Cloud Functions Admin roles. Thus, as soon as the Function Admin role is granted to the Cloud Build Service Account, everything works fine.

enter image description here

Alessandro Ceccarelli
  • 1,775
  • 5
  • 21
  • 41
  • Are you saying that the command to allow unauthenticated access (allow-unauthenticated) failed because you did not have the correct IAM roles to change that setting? This is an interesting point for deployments. – John Hanley Jun 22 '21 at 17:20
0

Please modify cloud build service account permissions and add function admin role, it should work.

Anil Kumar
  • 1
  • 1