Google cloud function authorization-CodePudding

I have a google cloud function that I can invoke using gcloud cli using a service account with the necessary IAM permissions

gcloud auth activate-service-account 'service-account-email' --key-file=google_key.json

gcloud functions call opt_manual --data '{some-json}'

this works just fine.

I'm trying to implement a similar call using official ruby sdk https://github.com/googleapis/google-cloud-ruby/tree/main/google-cloud-functions-v1

name = "opt_manual"
data = '{some-json}'

client = ::Google::Cloud::Functions::V1::CloudFunctionsService::Client.new do |config|
  config.credentials = "google_key.json"
end

client.get_function ::Google::Cloud::Functions::V1::GetFunctionRequest.new(name: name) 

# =>
# Permission denied on resource project opt_manual.. debug_error_string:{
#   "created":"@1636730694.210272000",
#   "description":"Error received from peer ipv4:142.251.36.202:443",
#   "file":"src/core/lib/surface/call.cc",
#   "file_line":1070,
#   "grpc_message":"Permission denied on resource project opt_manual.",
#   "grpc_status":7
# } (Google::Cloud::PermissionDeniedError)

The service account includes the following permissions:

Cloud Functions Admin
Cloud Functions Invoker
Service Account User
Workload Identity User

Cloud function principles include correct service account.

Despite all of that I'm still getting PermissionDeniedError maybe someone had a similar case and remember how it could be fixed? Keep in mind in the same project I access bigquery and cloud storage using official SDK using the same service account without any problem.

CodePudding user response：

Can you replace the following with values and try it instead of opt_manual:

projects/{project}/locations/{location}/functions/opt_manual

Your Service Account likely has too many permissions. You should need only Cloud Functions Invoker (roles/cloudfunctions.invoker).

Explanation the underlying method call is projects.locations.functions.get. Unfortunately, the Ruby API documentation for GetFunctionsRequest doesn't explain this. APIs Explorer is the definitive tool for understanding Google's REST APIs.