Requests from Cloud Function to App Engine returns error 401-CodePudding

I am trying to send requests to several App Engine endpoints deployed on the default GAE service from a Cloud Function. My code is quite simple:

Cloud Function

main.py

import logging
import requests

def main(event, context):
    bucketname = event['bucket']
    filename = event['name']
    endpoint = # Some logic extracting the endpoint to be used
    url = 'https://myproject.ew.r.appspot.com/{}'.format(endpoint)
    data = {
        'bucketname': bucketname,
        'filename': filename
    }
    r = requests.post(url, json=data)
    logging.info(r)
    return str(r)

The Cloud Function is deployed with:

gcloud functions deploy storage_to_gae --runtime python37 --trigger-resource $BUCKETNAME --trigger-event google.storage.object.finalize --region $REGION --source gcf/ --entry-point main --service-account [email protected]

The service account used by the Fuction has the Service Account User (roles/iam.serviceAccountUser) role granted.

App Engine

app.yml

runtime: python37
service: default

However, requests do not reach the App Engine since no logs appears on the GAE service. Requests are returning a <Response [401]> error code, so it seems like CF can not reach the App Engine service.

What additional roles do I need to provide my [email protected] service account? I am deploying on a client environment so I have limited permissions and I have to ask for the exact roles needed.

CodePudding user response：

After asking the GCP team of my client, they used IAP to manage the access.

I followed the instructions on this documentation and I was able to send a request to the GAE endpoint.

This is my final code:

import requests
from google.oauth2 import id_token
from google.auth.transport.requests import Request

def make_iap_request(url, client_id, method='POST', **kwargs):
    """Makes a request to an application protected by Identity-Aware Proxy.

    Args:
        url: The Identity-Aware Proxy-protected URL to fetch.
        client_id: The client ID used by Identity-Aware Proxy.
        method: The request method to use
                    ('GET', 'OPTIONS', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE')
        **kwargs: Any of the parameters defined for the request function:
                        https://github.com/requests/requests/blob/master/requests/api.py
                        If no timeout is provided, it is set to 90 by default.

    Returns:
      The page body, or raises an exception if the page couldn't be retrieved.
    """
    # Set the default timeout, if missing
    if 'timeout' not in kwargs:
        kwargs['timeout'] = 90

    # Obtain an OpenID Connect (OIDC) token from metadata server or using service
    # account.
    open_id_connect_token = id_token.fetch_id_token(Request(), client_id)

    # Fetch the Identity-Aware Proxy-protected URL, including an
    # Authorization header containing "Bearer " followed by a
    # Google-issued OpenID Connect token for the service account.
    resp = requests.request(
        method, url,
        headers={'Authorization': 'Bearer {}'.format(
            open_id_connect_token)}, **kwargs)
            
    return resp.text

def main(event, context):
    bucketname = event['bucket']
    filename = event['name']

    endpoint = # Some logic extracting the endpoint to be used
    url = 'https://myproject.ew.r.appspot.com/{}'.format(endpoint)
    data = {
        'bucketname': bucketname,
        'filename': filename
    }
    client_id = 'myclientid'

    r = make_iap_request(url, client_id, 'POST', json=data)
    logging('info', r)
    return str(r)