stackoom
  简体   繁体   中英

GCP API Gateway to Cloud Functions default service account authentication: "Your client does not have permission to the requested URL""

 原文  2021-03-14 16:53:43       google-cloud-functions/ google-cloud-iam/ google-cloud-api-gateway

Question

I'm trying to use API Gateway in front of Cloud Functions, but getting a 401 response when the Cloud Functions are not publicly accessible.

I set the Gateway to use the default AppEngine service account identity ( project-id @appspot.gserviceaccount.com), and gave the service account the Cloud Functions Invoker role in IAM. I can also see it among the invokers under the Cloud Functions Permissions tab. When the Gateway endpoint is invoked, I get a 401 response with a poorly formatted HTML payload that says "Your client does not have permission to the requested URL [url]". Unfortunately the Gateway logs are also not indicating what is the problem. When I make the Cloud Function public and wait a few minutes, the call succeeds.

I have read the "Securing backend services" section of the Guide a few times and can't see what I'm missing.

ps: This is not a JWT issue, that part works brilliantly

2 answers

solution1
 1  2021-03-19 15:18:15

Found the root of the problem: it's the aud claim in the internal JWT. I wanted to leverage the flexible addressability of Cloud Functions, eg that a function called a handles every request that starts with a/... . In my example, the function is called hello and I want to invoke it as /hello/example from the Gateway.

The internal JWT sets the Audience claim to the address given in the OpenAPI specs ( https://...cloudfunctions.net/hello/example ), which does not exactly match the base URL of the Cloud Function (which is only https://...cloudfunctions.net/hello ). Therefore, the Cloud Functions authorizer rejects the JWT, even though the Audience is a valid URL that is actually served by this function.

The obvious solution is to not use the variable postfix when calling Cloud Functions from the API Gateway.

solution2
 0  2023-01-05 07:31:21

BTW, you can use jwt_audience.

Set the jwt_audience to https://...cloudfunctions.net/hello

See https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#jwt_audience_disable_auth

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Firebase cloud function "Your client does not have permission to get URL /200 from this server" GCP Cloud Scheduler Permission Errors with Service Account getting error : Your client does not have permission to get URL in firebase functions (firebase functions) Error: Forbidden Your client does not have permission to get URL / ERROR: Forbidden Your client does not have permission to get URL /api/app from this server View logs in GCP Cloud Function Error: The caller does not have permission Obtain a service account credentials within a Cloud Functions to call a google service outside GCP Recover Cloud functions default service account with the undelete POST call GCP Server to Server Authentication with Service Account Google Cloud Functions authentication to other GCP APIs
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM