Google Cloud Function Authentication Explained

Apr 3, 2020
allUsers and allAuthenticatedUsers

Lately, gcloud functions deploy require authentication by default.

If a cloud function require authentication, it require an authenticated user credential (of Cloud Identity and Access Management / IAM / Service Accounts) which normal utilize Authorization HTTP headers with Bearer prefix to send it Id Token. Such example would be Secure Cloud Functions for Cloud Scheduler.

You could allow unauthenticated function invocation.

  • Google Cloud Console -> Functions
  • Click checkbox of a specific functions, where Right Info Panel is shown
  • Click Permission tab and click Add Member.
  • Set allUsers for New members
  • Select Cloud Functions -> Cloud Functions Invoker for Select a role.
  • Click Save.

NOTE: You can use gcloud functions deploy FUNCTION_NAME --runtime python37 --trigger-http --allow-unauthenticated to enable unauthenticated function invocation, thus avoiding the complicated steps above.

Note that allAuthenticatedUsers doesn’t refer to Firebase Authentication users. It’s a Google Cloud Platform concept that stands for all service accounts. - Source

You cannot depend on this feature to secure cloud functions with Firebase Authentication, as it only works with Cloud Identity and Access Management / IAM / Service Accounts.

Refer to Secure Cloud Functions With Firebase Authentication (Python). Things are easier if you are using Node.js.

❤️ Is this article helpful?

Buy me a coffee ☕ or support my work via PayPal to keep this space 🖖 and ad-free.

Do send some 💖 to @d_luaz or share this article.

✨ By Desmond Lua

A dream boy who enjoys making apps, travelling and making youtube videos. Follow me on @d_luaz

👶 Apps I built

Travelopy - discover travel places in Malaysia, Singapore, Taiwan, Japan.