I made a service account in GCP designed to run a cloud function. This is the service account, complete with json keys that I downloaded.
Then I made this cloud function. It is the default python 3.9 function that simply prints out the message you send it or if there is no message, it just prints "Hello World!"
I set it up with an HTTP trigger requiring authentication with the service account I just created second_try as the runtime service account for the cloud function. See the permissions for the cloud function below:
When I ran Test function, it worked even though I never referenced my service account credntials.
I tested the curl command in postman:
curl -m 70 -X POST https://us-central1-<MY PROJECT NAME>.cloudfunctions.net/func_two_hg \
-H "Authorization:bearer $(gcloud auth print-identity-token)" \
-H "Content-Type:application/json" \
-d '{}'
And it worked even though I'm not referencing my service account credentials which is confusing...
Even more confusing, when I try to reference the service account credentials and therefore run the function through the service account, it gives a 401 error, citing Your client does not have permission to the requested URL. This is the curl command that incorporated the service account credentials:
curl -m 70 -X POST https://us-central1-<MY PROJECT NAME>.cloudfunctions.net/func_two_hg \
-H "Authorization:bearer $(GOOGLE_APPLICATION_CREDENTIALS=/path/to/credentials.json gcloud auth application-default print-access-token)" \
-H "Content-Type:application/json" \
-d '{}'
And this is the error:
What is the problem, and why won't it run with the service account credentials? And how do I make this function only run-able through the service account?
CodePudding user response:
If you've configured everything correctly, you should:
- gcloud auth activate-service-account to enable the Service Account.
- Then you can
gcloud auth print-identity-token --account=${ACCOUNT}whereACCOUNTis the Service Account email to get an identity token that should authenticate you to the Cloud Function.