I'm calling a private http Cloud Function using the google-auth-library in Node.js. This works locally both when authenticated as myself and when impersonating the Cloud Run service account. However, when I deploy this to Cloud Run I get 401 responses on all of these calls.
I cannot figure out why this is. The Cloud Run instance uses the same service account that I had impersonated locally so permissions should not be an issue. Any ideas on what the problem is?
For some extra information, the Cloud Run instance is using a Serverless VPC Access connector for all outbound traffic. I've read that this could be a potential cause, but none of the solutions I've tried surrounding this have helped.
Below is the basic structure of my code.
import { GoogleAuth } from 'google-auth-library';
async function callCloudFunction() {
const functionUrl = '';
const auth = new GoogleAuth();
const client = await auth.getIdTokenClient(functionUrl);
const token = await client.getRequestHeaders();
const res = await fetch(functionUrl, {
method: 'GET',
headers: token
});
const data = await res.json();
return data
}
I'm calling a private http Cloud Function using the google-auth-library in Node.js. This works locally both when authenticated as myself and when impersonating the Cloud Run service account. However, when I deploy this to Cloud Run I get 401 responses on all of these calls.
I cannot figure out why this is. The Cloud Run instance uses the same service account that I had impersonated locally so permissions should not be an issue. Any ideas on what the problem is?
For some extra information, the Cloud Run instance is using a Serverless VPC Access connector for all outbound traffic. I've read that this could be a potential cause, but none of the solutions I've tried surrounding this have helped.
Below is the basic structure of my code.
import { GoogleAuth } from 'google-auth-library';
async function callCloudFunction() {
const functionUrl = 'https://REGION-PROJECT_ID.cloudfunctions/FUNCTION_NAME';
const auth = new GoogleAuth();
const client = await auth.getIdTokenClient(functionUrl);
const token = await client.getRequestHeaders();
const res = await fetch(functionUrl, {
method: 'GET',
headers: token
});
const data = await res.json();
return data
}
- I think the token is generated on the fly (when you use the fetch), and not like this. The smart part is in the client, not in the header – guillaume blaquiere Commented 2 days ago
- What do you mean exactly? – Matt Kocak Commented 2 days ago
3 Answers
Reset to default 0Use the client to perform the request. It's the purpose of the client to generate the token, and add it correctly into the header at the request sending time, not in advance in the header as you take it.
import { GoogleAuth } from 'google-auth-library';
async function callCloudFunction() {
const functionUrl = 'https://REGION-PROJECT_ID.cloudfunctions/FUNCTION_NAME';
const auth = new GoogleAuth();
const client = await auth.getIdTokenClient(functionUrl);
const res = await client.request({functionUrl});
console.log(res.data);
}
Usually, the HTTP 401 is a response related to an issue in the authentication process in the code due to invalid, missing or expired tokens.
Codes shared by @guillaume has similar logic from the official doc / GitHub and should work (but I guess not in this case).
Below steps / alternatives might be worth double checking:
Ensure that the service account has the cloud run invoker role
Apply troubleshooting:
Make sure that your requests include an Authorization: Bearer ID_TOKEN header, and that the token is an ID token, not an access or refresh token.
Redeploy your function to allow unauthenticated invocations if this is supported by your anization. This is useful for testing.
Explore generating tokens manually
Could you share the link referencing that Serverless VPC Access connector is a potential cause?
As a last resort, you can reach out to the paid support for detailed troubleshooting of the issue with Cloud Run functions specialist.
I wanted to post what solved my issue. The root cause was because my Cloud Function call had an extended route and parameters associated with it, which was causing issues when getting the client with getIdTokenClient.
I was originally calling getIdTokenClient('https://REGION-PROJECT_ID.cloudfunctions/FUNCTION_NAME/ROUTE?PARAMETER=ARGUMENT') with the extended route and parameters included. Instead, I should not have been including the extended route and parameters, only the actual function URL. So it would look something like this instead getIdTokenClient('https://REGION-PROJECT_ID.cloudfunctions/FUNCTION_NAME').
I'm not sure why it was working locally for me, maybe some other authentication settings were conflicting with the code.
I've provided some updated code below that is working when deployed to Cloud Run. A similar update would work for the code that @guillaumeblaquiere provided.
import { GoogleAuth } from 'google-auth-library';
async function callCloudFunction() {
const functionUrl = 'https://REGION-PROJECT_ID.cloudfunctions/FUNCTION_NAME';
const functionRoute = '/ROUTE?PARAMETER=ARGUMENT';
const auth = new GoogleAuth();
const client = await auth.getIdTokenClient(functionUrl);
const token = await client.getRequestHeaders();
const res = await fetch(functionUrl + functionRoute, {
method: 'GET',
headers: token
});
const data = await res.json();
return data
}
I appreciate the responses from everyone who provided potential solutions.