Deploy on 2nd Gen Google Cloud Functions

Have you deployed your code on the 2nd Gen Google Cloud Functions and experienced the error below?

An error page after successful deployment to cloud functions

Don’t worry; you’re not alone.

Google recently made changes to its Cloud Run service, and now, by default, all Cloud Run services are deployed privately. The 2nd Generation Cloud Functions use the Cloud Run service, which is why your newly deployed cloud function may not work, resulting in the “Error: Forbidden” page. However, you can resolve this issue by creating an authentication rule, as outlined below:

Calling your cloud function without setting a rule will give this error:

The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating

So here are the steps to make your newly deployed API available to the public:

Step 1: Visit https://console.cloud.google.com/ and click or search for Cloud Functions on the menu.

Step 2: Select the name of the function that needs fixing from the list.

Cloud Functions list page

Via Console

Step 3: Navigate to the “Permissions” tab, locate the “Grant Access” link, and click on it.

Step 4: In the “Add Principals” section, enter “allUsers” in the “New Principal” text box. In the “Role” box, add “Cloud Functions Invoker” and “Cloud Run Invoker.” Click “Save” to apply the changes.

That’s it! Your API should now be publicly accessible. If your API is still not available to the public, you can use the Google Cloud CLI as an alternative method:

Via Google Cloud CLI

Step 5: Login to your google cloud using gcloud CLI

gcloud auth login

Step 6: After successful login, run

gcloud config set project PROJECT_ID

Replace PROJECT_ID with your own projectId

Step 7: Then run

gcloud run services add-iam-policy-binding api     --member="allUsers"     --role="roles/run.invoker"

This command will prompt you to specify a region; choose a region by entering the corresponding number.

That’s it! You should now be able to access your API URL (e.g., https://region-projectId.cloudfunctions.net/api), and it should be working as expected.