22

Whenever I have to deploy a new python function using the gcloud sdk I get this message

Allow unauthenticated invocations of new function [function-name]?

(y/N)?

WARNING: Function created with limited-access IAM policy. To enable unauthorized access consider

"gcloud alpha functions add-iam-policy-binding function-name --region=europe-west1 --member=allUsers --role=roles/cloudfunctions.invoker"

Is there any flag I can add to the command to make it a NO when deploying?

This is a sample command I use to deploy one function:

gcloud functions deploy function-name --region=europe-west1 --entry-point function-entry-point --trigger-resource "projects/my-project/databases/(default)/documents/user_ids/{user_id}" --trigger-event providers/cloud.firestore/eventTypes/document.create --runtime python37 --timeout 60 --project my-project
Improve this question
7
  • What happens if you specify a service account with the --service-account flag? Commented May 1, 2020 at 23:52
  • Added the full warning message that suggest using gcloud alpha. There is: cloud.google.com/sdk/gcloud/reference/functions/…, but the thing is that I do not want to allow unauthenticated calls. How do you suggest to use --service-account Commented May 2, 2020 at 0:31
  • 1
    Specify a service account to gain access to the cloud function. Maybe that error is thrown if you give no information about permissions. I was reading the comments on this thread: stackoverflow.com/questions/57122047/… Commented May 2, 2020 at 0:36
  • That's the same question I have. But the thing is that I do not want to set any IAM policy other than not access to unauthorized access by using the deploy command, I already tried the beta and alpha as suggested there but still is asking me for IAM policy. I'm looking for a flag to add to the deploy command. Commented May 2, 2020 at 0:54
  • What is your use case? Commented May 2, 2020 at 0:56

4 Answers 4

Reset to default
22

I just encountered this problem as well and discovered that you can supply --no-allow-unauthenticated to pre-emptively answer "no" to this question.

gcloud functions deploy MyFunction \ --runtime=go116 --trigger-http --no-allow-unauthenticated
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

13

From https://cloud.google.com/sdk/docs/scripting-gcloud#disabling_prompts:

You can disable prompts from gcloud CLI commands by setting the disable_prompts property in your configuration to True or by using the global --quiet or -q flag.

So for your example, you could run:

gcloud functions deploy function-name --quiet --region=europe-west1 --entry-point function-entry-point --trigger-resource "projects/my-project/databases/(default)/documents/user_ids/{user_id}" --trigger-event providers/cloud.firestore/eventTypes/document.create --runtime python37 --timeout 60 --project my-project
Improve this answer

2 Comments

I think that's just a workaround rather than a solution.
This answer seems to be the officially recommended way to answer this question rather than a workaround as suggested in other comments. From the docs: "Some gcloud CLI commands are interactive, prompting users for confirmation of an operation or requesting additional input for an entered command. In most cases, this is not desirable when running commands in a script or other automation. You can disable prompts from gcloud CLI commands [...] by using the global --quiet or -q flag". I think the downvotes aren't justified
8
  1. Select the service
  2. Click Show Info Panel to display the Permissions tab.
  3. In the Add members field, allUsers
  4. Select the Cloud Functions Invoker from roles
  5. Add

or

 gcloud functions add-iam-policy-binding FUNCTION \ --member='serviceAccount:FUNCTION_IDENTITY' \ --role='roles/cloudfunctions.invoker' gcloud run services add-iam-policy-binding [SERVICE_NAME] \ --member="allUsers" \ --role="roles/cloudfunctions.invoker"
Improve this answer

1 Comment

just modified according to the resource of cloud functions
-1

I’ll need to review the function first before giving detailed feedback, but if it’s an HTTP function accessible from the internet, Google recommends securing it with authenticated invocations.

If your use case requires the function to be publicly accessible, you’ll need to:

  1. Enable unauthenticated invocations when deploying.

  2. In the Permissions tab, grant the Cloud Run Invoker role to allUsers.

This enforces an IAM policy while still keeping the function accessible to the public, and it will also silence the warning.

But I would just ignore it

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.