This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloud Run Auth token not working on the tagged revision url

Posted on 03-10-2022 02:43 AM
Marius-I
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi team,

Recently we tried enabling "Required Authentication for an "Allow all traffic" CR service. As part of the Cloud Build deployment process we have a few calls through a cloud function that targets a the newly deployed tagged revision (with 0% traffic) for setting up DB before transferring traffic to it. All the calls are sent to the tagged url (<tag>---<base_url>) but Google Security denies access to it with the following response:

ERROR:root:HTTP Error 401: Unauthorized
ERROR:root:WWW-Authenticate: Bearer error="invalid_token" error_description="The access token could not be verified"
Date: Thu, 10 Mar 2022 10:34:16 GMT
Content-Type: text/html; charset=UTF-8
Server: Google Frontend
Content-Length: 330
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Connection: close

Requests sent to the default revision URL (without the tag) are successful.

The Cloud Function that is making the request is in python and uses the code suggested by the Google Docs here.

Is this a Cloud Run limitation? Is there any way we can solve this?

0 3 1,725
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
Sima
Staff
Reply posted on --/--/---- --:-- AM

Hi Marius,

Could you elaborate more about the request structure and post a sample REDACTED request with the tagged URL (<tag>---<base_url>) that is not successful to better understand the issue?

Note that Google Groups are for asking general questions on GCP-end products and not for technical questions. For technical questions, I recommend to post your full detailed question on Stack Overflow and use relative tags since you can receive more visibility on your technical questions there.

 

0 Likes

Posted on --/--/---- --:-- AM
sijohnmathew
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hey Marius,

Did you manage to solve this issue ?

I am also stuck with the same problem. Is this a known limitation of Cloud Run ?

Regards,

Sijohn Mathew

0 Likes

Posted on --/--/---- --:-- AM
sijohnmathew
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Ignore the above post. I think I got the solution. When we call the Cloud Run endpoint, we need to set the Audience field explicitly to the base address without the --tag version