cant make firebase cloud function public

Question

i recently created a simple cloud function in firebase to get http responses from an endpoint. But every time i make a request, i'm getting a 401 with the message "The request was not authorized to invoke this service"

I was following this steps to make my function public:

1. Go to Cloud run,
2. Check the box next to your function,
3. Click the button "PERMISSION",
4. In the side bar, click on "ADD PRINCIPAL"
5. Write "allUsers" and give them "cloud run invoker" permission.

But in the last step, i got this message

IAM policy update failed Invalid state 'projects/*********/locations/us-central1/functions/#####': The operation failed with precondition error. This is usually because the system is not in a state required for the operation's execution

Then i tried this:

1. Go to the Google Cloud console
2. Click the linked name of the function to which you want to grant access.
3. Click the Powered By Cloud Run link in the top right corner of the Function details overview page.
4. Click Trigger and select Allow unauthenticated invocations.
5. Click Save.

and i got a similar message related to IAM/Policies

The 'Domain Restricted Sharing' organization policy (constraints/iam.allowedPolicyMemberDomains) is enforced. Only principals in allowed domains can be added as principals in the policy. Correct the principal emails and try again

I'm using the admin account to do all this, but for some reason I don't have any access to the IAM nor do I have any access to modify the organization's policies.

Answer 1

It seems that the permissions of a V2 function cannot be updated with the common add-iam-policy-binding command. Instead of using „Cloud Run functions“ (which sounded plausible to me, too), you have to go the „Cloud Run“ section.

https://console.cloud.google.com/run/

There,

• click on the checkbox besides the name of your function
• then on the tab Permissions --> A new „window" should appear on the right side of the screen.

.

• click on the button ADD PRINCIPAL in this new window --> A new „window“ appears

• type allUsers in the field New Principals

• type Cloud Run Invoker in the field Role

• click on the button SAVE

That should do it. Your function is now public. With all associated risks.

Alternatively you can go to the console, select your project and do

gcloud functions add-invoker-policy-binding <YOUR FUNCTION NAME> \
  --region="<YOUR REGION>" \
  --member=„allUsers"

I am not sure, maybe you have to add domain restricted sharing first, as user geobasket suggested.