DEVHIDE
Login Or Sign up

how to set iam permissions to invoke cloud function gen2?

209 Views Asked by At

I have deployed a cloud function on gcp with terraform. But when I invoke try to it, It gives an error

Your client does not have permission to get URL /getAllEmployees from this server.

Below is my terraform code

provider "google" {
  project     = var.project_id
  region      = var.region
  credentials = "../tf-key.json"
}

resource "google_storage_bucket" "bucket" {
  name     = "${var.project_id}-bucket1"
  location = var.region
}

resource "google_storage_bucket_object" "source_code" {
  name   = "objects"
  bucket = "terraform-cloud-functions-ems-bucket1"
  source = "D:/gcf-terraform/gcf-1.zip"
}

resource "google_cloudfunctions2_function" "function" {
  name        = "getAllEmployees"
  location    = "us-central1"
  description = "Retrieve all employees."

  build_config {
    runtime     = "go121"
    entry_point = "GetAllEmployees"

    source {
      storage_source {
        bucket = "terraform-cloud-functions-ems-bucket1"
        object = "objects"
      }
    }
  }
  service_config {
    min_instance_count             = 1
    max_instance_count             = 10
    available_memory               = "128Mi"
    timeout_seconds                = 120
    all_traffic_on_latest_revision = false
    service_account_email          = "terraform-gcf@terraform-cloud-functions-ems.iam.gserviceaccount.com"
  }
}

resource "google_cloud_run_service_iam_binding" "default" {
  location = "google_cloudfunctions2_function.function.location"
  service  = "google_cloudfunctions2_function.function.name"
  role     = "roles/run.invoker"
  members  = ["allUsers"]
}

Resource "google_cloud_run_service_iam_binding" is not getting deployed.

I was expecting my function to get invoked. I have provided 'members' = ["allUssers"] in my code. But it still doesn't work.

I will appreciate your help.

terraform google-cloud-functions permission-denied google-cloud-iam
Original Q&A
1

There are 1 best solutions below

0
On

I think your issue is due to your resources not created in the right order, in Terraform you can specify dependencies between some resources, in order to create them in the right order.

In your case, the resource google_cloud_run_service_iam_binding needs to be created before the google_cloudfunctions2_function resource, example :

provider "google" {
  project     = var.project_id
  region      = var.region
  credentials = "../tf-key.json"
}

resource "google_storage_bucket" "bucket" {
  name     = "${var.project_id}-bucket1"
  location = var.region
}

resource "google_storage_bucket_object" "source_code" {
  name   = "objects"
  bucket = "terraform-cloud-functions-ems-bucket1"
  source = "D:/gcf-terraform/gcf-1.zip"
}

resource "google_cloud_run_service_iam_binding" "default" {
  location = "google_cloudfunctions2_function.function.location"
  service  = "google_cloudfunctions2_function.function.name"
  role     = "roles/run.invoker"
  members  = ["allUsers"]
}

resource "google_cloudfunctions2_function" "function" {
  depends_on = [
    google_cloud_run_service_iam_binding.default
  ]

  name        = "getAllEmployees"
  location    = "us-central1"
  description = "Retrieve all employees."

  build_config {
    runtime     = "go121"
    entry_point = "GetAllEmployees"

    source {
      storage_source {
        bucket = "terraform-cloud-functions-ems-bucket1"
        object = "objects"
      }
    }
  }
  service_config {
    min_instance_count             = 1
    max_instance_count             = 10
    available_memory               = "128Mi"
    timeout_seconds                = 120
    all_traffic_on_latest_revision = false
    service_account_email          = "terraform-gcf@terraform-cloud-functions-ems.iam.gserviceaccount.com"
  }
}

In this example, I specified a dependency and the google_cloudfunctions2_function depends on the google_cloud_run_service_iam_binding vie the following code snippet :

depends_on = [
   google_cloud_run_service_iam_binding.default
]

Related Questions in TERRAFORM

Related Questions in GOOGLE-CLOUD-FUNCTIONS

Related Questions in PERMISSION-DENIED

Related Questions in GOOGLE-CLOUD-IAM

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.