1

I have Strapi CMS deployed in Cloud Run and have exposed it via Google Cloud Load Balancer. CMS exposes unauthenticated URL to expose static content. If I hit the Cloud Run URL directly without authentication, it works fine and serves me the content.

Then I configured Google Cloud Load Balancer with backend configuration (via Service Endpoint Group) to Cloud Run instance. COnfiguration is successful. However If i try to hit the CLoud Run URL via Cloud Load Balancer, it is throwing 403 Forbidded error.

If the same cloud load balancer URL is accessed with Authorization header it works fine. I need unauthenticated requests to be made.

Any help will be much appriciated.

Meiyappan Kannappa
  • 720
  • 9
  • 35
  • There is missing detail in the configuration. In addition, do you have several Cloud Run services with the same name, but deployed in different regions? – guillaume blaquiere Nov 21 '22 at 08:42
  • I believe it would be best if you ask this question on the Strapi forum page https://forum.strapi.io/ or Discord: https://discord.strapi.io/ – TreciaKS Nov 21 '22 at 11:52

1 Answers1

0

403 Forbidden error means the request was not authenticated or does not have permission to get the URL.

To resolve this issue, Following steps might be help :

If the service is meant to be invocable by anyone, update its IAM settings to make the service public.

If the service is meant to be invocable only by certain identities, make sure that you invoke it with the proper authorization token.

If invoked by an end user: Ensure the user has the permissions Cloud Run Admin (roles/run.admin) and Cloud Run Invoker (roles/run.invoker) role.

If invoked by a service account: Ensure the service account has the Cloud Run Invoker (roles/run.invoker) role.

Calls missing an auth token or with an auth token that is of valid format, but the IAM member used to generate the token is missing (run.routes.invoke) permission; this will result in this 403 error.

If the project is within a VPC-SC perimeter, verify that VPC-SC policies are not denying run.googleapis.com/HttpIngress traffic that originates from the caller's IP or identity.

For detailed steps follow official doc HTTP 403: Client is not authorized to invoke/call the service.

Veera Nagireddy
  • 1,656
  • 1
  • 3
  • 12
  • 1
    My Cloud Run urls are public accessible and I can access the CLoud Run URL directly from browser and Postman. Only if i access the cloud run URL via Google Cloud Load balancer it gives me 403 error. – Meiyappan Kannappa Nov 26 '22 at 04:00
  • Please refer this link regarding 403 error [Securing Load balanced Authenticated Cloud Run Services using IAP](https://yesdeepakverma.medium.com/securing-load-balanced-authenticated-cloud-run-services-using-iap-4f193ee0263) – Veera Nagireddy Nov 27 '22 at 04:06