This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Service Account on an Eventarc Trigger with Cloud Functions destination requires Cloud Run Invoker

Posted on 01-09-2024 03:30 PM
zaphod72
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi,
I have a Cloud Function as the destination for an Eventarc Trigger. The Cloud Function requires authentication.

I created a service account for the trigger but it fails if I give it Cloud Functions Invoker permission on the Cloud Function.

The error logged in the CF:

The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header ...

If I remove the Cloud Functions Invoker permission and add Cloud Run Invoker permission on the CF's Cloud Run service then it succeeds.

Expect that the Cloud Functions Invoker permission would be the correct permission to apply.

My Eventarc Trigger details:

 
Name: my-trigger
Region: us-central1
Service account: my-trigger@<project_id>.iam.gserviceaccount.com
Event provider: Cloud Pub/Sub
Event type: google.cloud.pubsub.topic.v1.messagePublished
Event data content type: No value
Topic: projects/<project_id>/topics/my-topic
Infrastructure: Cloud Pub/Sub
Destination platform: Cloud Functions
Destination: my-cloud-function (us-central1)  [And this destination links to the Cloud Function]
Error conditions: None
Encryption: Events encrypted using Google-managed encryption keys
Solved Solved
0 3 2,163
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
robertcarlos
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi @zaphod72,

Welcome to Google Cloud Community!

If you're using Cloud Functions 2nd gen, it is built on Cloud Run and Eventarc to provide an enhanced feature set. This enables users to leverage key benefits of Cloud Run including concurrency, traffic splitting, and longer processing times. 

This is the reason why Cloud Run Invoker permission works on your Cloud Functions (2nd gen) Eventarc trigger.

You could also see this feature on the upper right portion on your Cloud console.

BmpbmpC59vJizpE.png

 

 

You could check the following documentations that you may find helpful:

Hope this helps.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
robertcarlos
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi @zaphod72,

Welcome to Google Cloud Community!

If you're using Cloud Functions 2nd gen, it is built on Cloud Run and Eventarc to provide an enhanced feature set. This enables users to leverage key benefits of Cloud Run including concurrency, traffic splitting, and longer processing times. 

This is the reason why Cloud Run Invoker permission works on your Cloud Functions (2nd gen) Eventarc trigger.

You could also see this feature on the upper right portion on your Cloud console.

BmpbmpC59vJizpE.png

 

 

You could check the following documentations that you may find helpful:

Hope this helps.

Jump to Solution

Posted on --/--/---- --:-- AM
zaphod72
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Thanks for the information @robertcarlos.

Are there any situations where a caller would need `roles/cloudfunctions.invoker` for a 2nd gen Cloud Function?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
robertcarlos
Silver 1
Silver 1
In response to zaphod72
Reply posted on --/--/---- --:-- AM

Hi @zaphod72,

Cloud Functions Invoker role would only work on Cloud Functions 1st gen as mention in this documentation.

Jump to Solution
Top Labels in this Space