0

I am trying to deploy a data ingestion pipeline in Google Cloud Functions.

When I trigger the URL, I get the following error:

Error: Forbidden Your client does not have permission to get URL /entry-point from this server.

I don't understand when am I getting this error because my function's service account has the cloudfunctions.invoker role and I am the owner of the project. I even granted the cloudfunctions.invoker to my user account but it still not working.

I have managed to make it work by giving the cloudfunctions.invoker to allUser, but I would prefer not doing it for safety reasons.

Does someone have an idea of why it doesn't work?

Le Noff
  • 345
  • 1
  • 2
  • 11
  • 1
    Your question lacks detail. What are you doing when you "trigger the URL"? I assume that URL is a Cloud Functions function. If the Cloud Functions function is not `allUsers` then the identity of the caller must be authenticated; i.e. you can only `curl` the endpoint with an `Authorization: Bearer $(gcloud auth print-identity-token)` header. – DazWilkin Sep 13 '22 at 16:58
  • @DazWilkin Thank you for your answer. By triggering the URL, I mean that I click on the "trigger URL" in the "TRIGGER" section of the function's page. How can I add the ```Authorization: Bearer $(gcloud auth print-identity-token)``` in my ```.gitlab-ci.yml ``` file? – Le Noff Sep 13 '22 at 18:58
  • 1
    For a Project Owner, for 1st and 2nd gen Cloud Functions, the Console Trigger should just work because the Console leverages the logged in identity. To call from the command-line, you can `gcloud functions call` **or** you can construct a `curl` command using the function's endpoint and adding `--header "Authorization: Bearer $(gcloud auth print-identity-token)"`. Calling from GitLab is a different question and should be submitted as a new question. – DazWilkin Sep 13 '22 at 19:20
  • So there is indeed a problem with the console trigger. Thank you for you help, I will try your suggestion. – Le Noff Sep 14 '22 at 07:13
  • 1
    Don't forget to add details on the configuration, test and permissions, if it still does not work – guillaume blaquiere Sep 14 '22 at 09:53
  • 1
    Can you confirm if you were able to fix the issue? – Andres Fiesco Casasola Sep 14 '22 at 21:55
  • 1
    @AndresFiescoCasasola thank you for your comment, I just post the update as an answer. – Le Noff Sep 15 '22 at 11:54

1 Answers1

0

Following the suggestion from @DazWilkin in the comment, I tried the following command in my terminal and it worked.

https://zone-project-name.cloudfunctions.net/entry-point -H "Authorization: bearer $(gcloud auth print-identity-token)"

I still don't manage to trigger make it work using the console trigger, but it is fine because my goal is to trigger the function with a request made by Cloud Scheduler.

Le Noff
  • 345
  • 1
  • 2
  • 11