Service Account on an Eventarc Trigger with Cloud Functions destination requires Cloud Run Invoker

zaphod72 · January 9, 2024, 11:30pm

Hi,
I have a Cloud Function as the destination for an Eventarc Trigger. The Cloud Function requires authentication.

I created a service account for the trigger but it fails if I give it Cloud Functions Invoker permission on the Cloud Function.

The error logged in the CF:

The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header …

If I remove the Cloud Functions Invoker permission and add Cloud Run Invoker permission on the CF’s Cloud Run service then it succeeds.

Expect that the Cloud Functions Invoker permission would be the correct permission to apply.

My Eventarc Trigger details:

Name: my-trigger
Region: us-central1
Service account: my-trigger@<project_id>.iam.gserviceaccount.com
Event provider: Cloud Pub/Sub
Event type: google.cloud.pubsub.topic.v1.messagePublished
Event data content type: No value
Topic: projects/<project_id>/topics/my-topic
Infrastructure: Cloud Pub/Sub
Destination platform: Cloud Functions
Destination: my-cloud-function (us-central1) [And this destination links to the Cloud Function]
Error conditions: None
Encryption: Events encrypted using Google-managed encryption keys

robertcarlos · January 11, 2024, 6:04pm

Hi @zaphod72 ,

Welcome to Google Cloud Community!

If you’re using Cloud Functions 2nd gen, it is built on Cloud Run and Eventarc to provide an enhanced feature set. This enables users to leverage key benefits of Cloud Run including concurrency, traffic splitting, and longer processing times.

This is the reason why Cloud Run Invoker permission works on your Cloud Functions (2nd gen) Eventarc trigger.

You could also see this feature on the upper right portion on your Cloud console.

You could check the following documentations that you may find helpful:

Hope this helps.

zaphod72 · January 11, 2024, 7:10pm

Thanks for the information @robertcarlos .

Are there any situations where a caller would need roles/cloudfunctions.invoker for a 2nd gen Cloud Function?

robertcarlos · January 11, 2024, 9:16pm

Hi @zaphod72 ,

Cloud Functions Invoker role would only work on Cloud Functions 1st gen as mention in this documentation.

Topic		Replies	Views
Cloud Function 2nd gen cant hit cloud run deployed by them Serverless Applications cloud-functions , cloud-run , eventarc	1	523	August 24, 2023
Cloud function gen 2 https trigger through google drive event api Serverless Applications cloud-functions , cloud-run	2	21	June 20, 2024
Calling authenticated cloud function from application - client does not have permission Serverless Applications cloud-functions	1	64	December 27, 2023

Service Account on an Eventarc Trigger with Cloud Functions destination requires Cloud Run Invoker

AI Suggested topics