Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Allow unauthenticated parameter does not work

Tags:

yaml

google-cloud-platform

google-cloud-functions

cicd

I am creating a CICD pipeline, via GitHub and Google Cloud Build, using the following .yaml file:

# Cloud Function specifications
steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args:
  - functions
  - deploy
  - hello_world
  - --source=./src
  - --trigger-http
  - --memory=1024MB
  - --max-instances=5
  - --runtime=python39
  - --region=europe-west6
  - --entry-point=predict
  - --allow-unauthenticated

Everything works fine and the function deploys correctly; however, whenever I try to call it, the following error is thrown:

<head>
    <meta http-equiv="content-type" content="text/html;charset=utf-8">
    <title>401 Unauthorized</title>
</head>

It seems like the --allow-unauthenticated parameter isn't working properly. How can I expose the API and give public access?

Predict function allows unauthenticated, hello_world doesn't

Note:

if I run gcloud functions describe --project=XXXXXX --region=europe-west6 hello_world

I get:

availableMemoryMb: 1024
buildId: 1234
entryPoint: predict
environmentVariables:
  ABC: '"discount"'
httpsTrigger:
  securityLevel: SECURE_OPTIONAL
  url: https://europe-west6-XXX.cloudfunctions.net/hello_world
ingressSettings: ALLOW_ALL
labels:
  deployment-tool: cli-gcloud
maxInstances: 5
name: projects/XXX/locations/europe-west6/functions/hello_world
runtime: python39
serviceAccountEmail: [email protected]
sourceUploadUrl: https://storage.googleapis.com/gcf-upload-europe-west6XXX
status: ACTIVE
timeout: 60s
updateTime: '2021-06-10T17:09:55.950Z'
versionId: '2'
like image 360
Alessandro Ceccarelli Avatar asked Sep 13 '25 14:09

Alessandro Ceccarelli

2 Answers

Use of the --allow-unauthenticated flag modifies IAM permissions.

To ensure that unauthorized developers cannot modify function permissions, the user or service that is deploying the function must have the cloudfunctions.functions.setIamPolicy permission (as noted here).

This aforementioned permission is included in both Owner and Cloud Functions Admin roles. Thus, as soon as the Function Admin role is granted to the Cloud Build Service Account, everything works fine.

enter image description here

like image 137
Alessandro Ceccarelli Avatar answered Sep 16 '25 13:09

Alessandro Ceccarelli

Please modify cloud build service account permissions and add function admin role, it should work.

like image 20
Anil Kumar Avatar answered Sep 16 '25 12:09

Anil Kumar

Sign in to Comment

Related questions

Service account created from a sink cannot be found

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!