Hello folks, I’m facing a strange issue with Salesforce authentication in a Cloud Run environment. The same code works fine locally and on VMs (run with gcloud ssh), and consistently fails in Cloud Run.
Environment
Python 3.11 with extracted code from simple-salesforce library for making the soap request.
Docker container deployed to Google Cloud Run
The issue
When attempting to authenticate with Salesforce the request fails only in Cloud Run with “INVALID_LOGIN: Invalid username, password, security token; or user locked out”, below is the response.
<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sf="urn:fault.partner.soap.sforce.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><soapenv:Fault><faultcode>sf:INVALID_LOGIN</faultcode><faultstring>INVALID_LOGIN: Invalid username, password, security token; or user locked out.</faultstring><detail><sf:LoginFault xsi:type="sf:LoginFault"><sf:exceptionCode>INVALID_LOGIN</sf:exceptionCode><sf:exceptionMessage>Invalid username, password, security token; or user locked out.</sf:exceptionMessage></sf:LoginFault></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>
What I’ve tried
Created a test script with raw SOAP requests (no dependencies) that replicates the authentication flow - still fails in Cloud Run.
Confirmed all environment variables are correctly set (usermame, password and token)
Nothing special set regarding networking on Cloud Run (all defaults). I also tested a simple curl through the python code and it worked (running within the deployed container)
I’ve narrowed it down to something specific about how Cloud Run handles SOAP requests to Salesforce’s authentication endpoint. Has anyone encountered similar issues with SOAP, any workarounds or ideas?
The issue you’re encountering typically occurs when Salesforce cannot authenticate the login credentials due to one of the following reasons:
Incorrect username or password
Missing or outdated security token
IP restrictions on your Salesforce org that require the token to be included
Login attempts from an untrusted network
I have found this Stack Overflow post that somewhat relates to your concerns with detailed explanations and solutions which might help you. The post walks through common root causes and verified steps you can take, such as regenerating your security token or adjusting your trusted IP range settings.
Thank you for your response, much appreciated on this rather convoluted topic. I’ve tried most of the things you shared and I’ll update the original post to reflect that:
I’m confident the triplet (username, password, security token) is valid since it is working locally and from a random GCP VM, it doesn’t work only from the cloud run.
“IP restrictions on your Salesforce org that require the token to be included”. I always include the token. If that’s not what you meant, or you had another token in your mind, please let me know.
The VM request working serves as a contradicting evidence if there are any network or IP restrictions from Salesforce side. In any case, I tried adding the Cloud Run IP to the list of allowed IPs, and it didn’t change the end result.
The error message “Invalid username, password, security token; or user locked out.” indicates you have an authentication error.
My bet would be that the environment variables where you are setting username, password or token are not set properly.
How are you setting those? Via env variales on Cloud Run or hardcoded?
I use the Google Secret Manager - the env variables are fed with the values saved in Google Secret Manager.
Yes, I tried that as well, I’m confident that the right ones are passed and I log them right before the call (I logged the length here before) and I also have logged the start and the end to double check them.