问题
According to the Google documentation, The 'allAuthenticatedUsers' member would include anybody that is authenticated included regular gmail accounts. So I gave that member the 'Cloud Functions Invoker' role, thinking that any authenticated user should be able to invoke my google cloud function. That is not working. I get the following results:
Error: Forbidden Your client does not have permission to get URL /function-1 from this server.
I have proven that if I grant the 'Cloud Functions Invoker' role to 'allUsers', then the function can be invoked. So I know the function works (it is the default function that google cloud creates).
So why doesn't granting 'allAuthenticatedUsers' member the 'Cloud Functions Invoker' role work for google cloud functions? What am I missing?
Thank you
回答1:
You should not apply the allUsers and allAuthenticatedUsers on the project-level according to the Cloud Functions Docs (see the note in "Controlling access on all functions in a project"). Can you try to apply this to that single function you want to protect?
回答2:
You can apply this role on a single function.
If you want to secure all your resources on your project, I mean, if you don't want to allow allUsers on GCP resources like Function, Cloud Run, Storage (...), you can activate the Domain Restriction Sharing Policy (DRS). With it, allUsers is forbidden.
回答3:
Correct Answer
Credit goes to John Hanley. I needed to use the id_token instead of my access_token in the bearer token authorization header.
I'm not sure how to mark this question as answered. I couldn't accept the comment, nor could I accept my own answer. My object is to help others who are having the same question by Marking this question as answered but I cannot do it. Weird!
Please Mark the answer as correct if you can.
来源:https://stackoverflow.com/questions/58245338/why-doesnt-granting-allauthenticatedusers-member-the-cloud-functions-invoker