Comments (25)
This issue should be fixed and will go out in the next release
from firebase-functions-python.
Any update for when this will be released?
from firebase-functions-python.
I tried to follow this Python example too, with no success.
The task is added to the queue, but when the task invoking the function I get:
"The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#unauthorized-client"
from firebase-functions-python.
I'm also unable to get this to work. The example doesn't include an auth header or token:
task_queue = tasks_client.queue_path(project_id, REGION.value, <function_name>)
target_uri = get_function_url(<function_name>)
body = {}
task = tasks_v2.Task(
http_request={
"http_method": tasks_v2.HttpMethod.POST,
"url": target_uri,
"headers": {
"Content-type": "application/json",
},
"body": json.dumps(body).encode(),
}
)
tasks_client.create_task(parent=task_queue, task=task)
This produces an error indicating that an authorization token is required in the function that consumes the queue:
"The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#unauthorized-client"
The roles for my default compute service account include cloud run invoker and cloud function invoker:
If you follow https://cloud.google.com/run/docs/authenticating/service-to-service#run-service-to-service-example-python, that suggests that you set the url from your service as the audience and create a bearer token you pass through:
target_uri = get_function_url(function_name)
auth_req = google.auth.transport.requests.Request()
id_token = google.oauth2.id_token.fetch_id_token(auth_req, target_uri)
task = tasks_v2.Task(
http_request={
"http_method": tasks_v2.HttpMethod.POST,
"url": target_uri,
"headers": {
"Content-type": "application/json",
"Authorization": f"Bearer {id_token}",
},
"body": json.dumps(body).encode(),
}
)
tasks_client.create_task(parent=task_queue, task=task)
This produces a different error in the queue consumer:
ERROR:root:Error validating token: Firebase ID token has incorrect "aud" (audience) claim. Expected "<project_id>" but got "https://us-central1-<project_id>cloudfunctions.net/<function_name>". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve ID token."
If you change the audience from the function to the firebase project (<project_id>), you get a different error:
textPayload: "The request was not authorized to invoke this service. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#401"
That certainly looks like the service account doesn't have the required permission, but it does at least have functions invoker and cloud run invoker.
It would be really helpful to have a working example. Based on the very first error, it seems like you must explicitly pass some kind of auth information to tasks_v2.Task, but the example doesn't do so.
Edit: It looks like there are two different auth checks being performed with two different (and maybe incompatible) sets of requirements. The first looks like a standard firebase auth check. The second seems like it's the underlying cloud tasks. The error messages make it look like we're able to satisfy either Firebase or Cloud Tasks checks, but not both.
from firebase-functions-python.
Thanks, everyone for providing such detailed comments! we were able to reproduce.
@jacobg This might be the issue, we are working on a fix ASAP.
from firebase-functions-python.
We're planning a release soon. Keep a lookout in the next couple of days
from firebase-functions-python.
I had the same issue here. Updating firebase-functions
from 0.2.0
to 0.4.1
fixed it!
from firebase-functions-python.
@exaby73 I'm using firebase function to create a cloud task to request another firebase function. Basically, I followed this example but it not working https://firebase.google.com/docs/functions/task-functions?gen=2nd#python
tasks_v2 : https://pypi.org/project/google-cloud-tasks/
from firebase-functions-python.
Any luck here? I also followed the docs but no luck.
from firebase-functions-python.
Hello @RTae. Could you tell me which libraries you're using?
from firebase-functions-python.
I also failed to get the auth token biz working similarily, so ended up removing access control from the task queue, to get forward. Our thing is low security anyway, and if needed, I guess I can add an API key to the workers. Would be nice to have proper auth working though ofc.
from firebase-functions-python.
Is it possible to give me an example I could test with?
from firebase-functions-python.
Is it possible to give me an example I could test with?
That basically is it, I also tried to follow it and got into the same trouble. https://firebase.google.com/docs/functions/task-functions?gen=2nd#python
from firebase-functions-python.
I am in the same boat. Anyone find a solution to this?
from firebase-functions-python.
Hello all, for those following the sample here there's a small issue, first change location: str = SupportedRegion.US_CENTRAL1
to location: str = SupportedRegion.US_CENTRAL1.value
, the location was sent as a literal locations/supportedregion.us_central1
thus we get the error Location SupportedRegion.US_CENTRAL1 is not found or access is unauthorized.
(it really doesn't exist).
@kulaone @antont @spartonia @ShadowBearVR have you followed the instructions here? the error indicates that the service account used doesn't have the role roles/cloudfunctions.invoker
.
@RTae you're trying to use a service account other than the ADC right?
from firebase-functions-python.
@pr-Mais I can confirm the required permissions (and extra) were added and I still got the same type of errors.
from firebase-functions-python.
@ShadowBearVR can you post the exact error message you're getting and if it's the same as the issue author?
from firebase-functions-python.
And just for fun, I tried creating a task queue using typescript and calling it from python. That works perfectly if you follow the guidance in https://cloud.google.com/run/docs/authenticating/service-to-service#run-service-to-service-example-python:
target_uri = get_function_url(function_name)
auth_req = google.auth.transport.requests.Request()
id_token = google.oauth2.id_token.fetch_id_token(auth_req, target_uri)
task = tasks_v2.Task(
http_request={
"http_method": tasks_v2.HttpMethod.POST,
"url": target_uri,
"headers": {
"Content-type": "application/json",
"Authorization": f"Bearer {id_token}",
},
"body": json.dumps(body).encode(),
}
)
tasks_client.create_task(parent=task_queue, task=task)
If I instead define the queue in python and call it with exactly the same code, I get:
ERROR:root:Error validating token: Firebase ID token has incorrect "aud" (audience) claim. Expected "<project_id>" but got "https://<function-name>-NNNN-uc.a.run.app". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve ID token."
This seems problematic? https://github.com/firebase/firebase-functions-python/blob/7f83050dc44f7877a58a590a5aae1006a6f14358/src/firebase_functions/private/util.py#L218C28-L218C43. That's calling a firebase function to validate auth. The only other use of that method I see is for https functions where using Firebase's auth makes more sense because the caller is very likely to be external: https://github.com/search?q=repo%3Afirebase/firebase-functions-python%20_on_call_handler&type=code. It definitely seems like Firebase's auth requirements differ from the Cloud Run Service's auth requirements. Since they both use the same header it's not possible to satisfy both.
A workaround seems to be to enable "Allow unauthenticated invocations" for the service. Firebase might still pass through and validate its own auth token if you do this (I haven't tried to validate that), but you can also pass through a secret or an auth token using the body and manually validate it.
from firebase-functions-python.
I have the same issue. Following the example "https://firebase.google.com/docs/functions/task-functions?gen=2nd", whatever configuration I use, I always get some kind of authentication / authorization error
from firebase-functions-python.
I'm having the same issue here. I tried adding an oidc_token
to the task http_request. If audience is set to the project, Cloud Run returns 401 with error logged:
The request was not authorized to invoke this service. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#401
If audience is set to the function url, then the function does seem to get invoked but the Firebase task wrapper fails with this error:
ERROR:root:Error validating token: Firebase ID token has incorrect "aud" (audience) claim. Expected "PROJECT-ID" but got "FUNCTION-URL". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve ID token.
As a previous poster notes, it seems there are two layers of authentication that conflict with each other.
Can Firebase team please follow up on this issue? Many people here need help. Thanks!
from firebase-functions-python.
Since the Cloud Run service is already doing the authentication, it seems we can patch the Firebase SDK inside the function to bypass auth:
import firebase_functions.private.util as firebase_private_util
def _on_call_check_auth_token(*args, **kwargs):
return None
firebase_private_util._on_call_check_auth_token = _on_call_check_auth_token
Then when enqueing a task, make sure to set the oidc_token
in the task's http_request
to meet the requirements of Cloud Run:
"oidc_token": {
'service_account_email': FUNCTION_IDENTITY,
'audience': task_http_request_url,
}
I verified this works.
from firebase-functions-python.
Thank you @pr-Mais 👍
from firebase-functions-python.
^ Same question. Wonder if there're any temporary workarounds for this?
from firebase-functions-python.
This issue should be fixed and will go out in the next release
Hi @exaby73, any updates on this? When will the next release happen?
^ Same question. Wonder if there're any temporary workarounds for this?
@GoodluckH , the workaround is to define your function as @https_fn.on_request
instead of @tasks_fn.on_task_dispatched
from firebase-functions-python.
Any updates? I also have the same issue.
from firebase-functions-python.
Related Issues (20)
- Missing retry in storage and firestore trigger decorators
- CORS Error on_call Cloud Function HOT 11
- logging library doesn't support Exceptions HOT 1
- Configure CPU-allocation, the run.googleapis.com/cpu-throttling boolean in Cloud Run HOT 2
- Firestore Emulator Cloud Trigger Issue with Write Operations HOT 1
- RetryConfig seems to be ignored on `@tasks_fn.on_task_dispatched` HOT 1
- auth-blocking-functions | Cannot extract event_type from identity_fn.AuthBlockingEvent HOT 1
- Container silently freezes on making a request to firestore if multiple requests were created before container starts HOT 2
- Cannot set invoker to public for HTTP request function HOT 4
- Firestore updates cause intermittent freezing of event triggers HOT 4
- Time data format error HOT 1
- Traceback (most recent call last): File "/layers/google.python.pip/pip/lib/python3.11/site-packages/flask/app.py", line 1463, in wsgi_app response = self.full_dispatch_request()
- KeyError: 'datacontenttype' HOT 4
- Getting incorrect CORS 403 Error, resolves if I delete the Firebase function and re-deploy HOT 1
- cloud functions v2 crashes on 0.3.0 firebase-functions HOT 2
- Issues with @storage_fn.on_object_finalized() and Firebase Emulator HOT 3
- KeyError: `authtype` HOT 2
- Key error ['authtype'] in v0.3.0 when on_document_updated triggered from HTTP request HOT 3
- Concurrency is set to 80 by default HOT 1
- Python: Documentation says "from firebase_functions.core import init", however this library doesn't exist at all. Where is it? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from firebase-functions-python.