This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloud Function as a webhook notification channel with IAM authentication

Posted on 03-11-2023 08:45 AM
multani
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

I'm trying to setup a Cloud Function that would serve as a webhook in a notification channel in my Alerting configuration.

The Cloud Function is created with IAM authentication enabled and I granted the "roles/cloudfunctions.invoker" role to the "service-$PROJECT_NUMBER@gcp-sa-monitoring-notification.iam.gserviceaccount.com" service account for that function.

When I want to test the notification webhook associated with the URL of that Cloud Function, or when a new alert triggers, the webhook call fails with a "Webhook failed with 403 Forbidden status code." error message.

Giving the "roles/cloudfunctions.invoker" role to "allUsers" instead works, but this is not safe 🙂

Is it possible to have a public Cloud Function with IAM authentication enabled as a webhook for a monitoring notification channel?

(I initially tried to use Pub/Sub instead of the webook, but it seems it's not possible to associate the alerts from Cloud Error Reporting with a Pub/Sub notification channel at the moment 😞 )

0 1 2,451
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dionv
Staff
Reply posted on --/--/---- --:-- AM

Hello multani,

Checking on your question about "Is it possible to have a public Cloud Function with IAM authentication enabled as a webhook for a monitoring notification channel?"

There seems to be a similar concern raised before and answered by digil:

"

By reading through your request, I believe you are looking for a way to configure the notification channel available for 'Cloud Monitoring alerting policies'.

If the above-mentioned scenario is your situation, kindly keep in mind that when adding a notification channel to an alerting policy, you must select a channel from a list. As you probably are aware, you may need to refer to this document list as it contains the supported notification channel types available for Cloud Monitoring alerting policies and explains how to configure them by using the Google Cloud Console. For the time being, the supported notification channels are Email, Mobile App, PagerDuty, SMS, Slack, Webhooks and Pub/Sub.

Creating a notification channel of your own is still not yet supported for Cloud Monitoring alert notifications. I would strongly recommend you to open a feature request for it by following Google Cloud Platform’s public documentation about ‘feature requests’. While opening the feature requests, try to include all the necessary information such as your use case scenario, business needs, etc.

As you could find in the configuration section of 'webhooks ', the only documented methods of authentication currently supported for webhooks are the basic and token authentications. There is already a feature request to support 'webhooks' with other authentications such as OAuth, API token passed via header, JWT signing key, etc. You can find more information about the mentioned feature request in this issue-tracker thread

Feel free to visit the mentioned thread and add any information(such as your use-case scenario) which will be helpful. Kindly keep in mind that there is no guarantee or an ETA on when this feature will be implemented but rest assured that your feedback is taken very seriously and it is greatly appreciated, as it helps us improve our products.

"

0 Likes
Top Solution Authors
View all