0

I'm trying to expose a private GCP Cloud Function using API Gateway. The function is written in Node.js and deployed with --ingress-settings=internal-and-gclb, and it works fine when called internally with an authenticated request.

However, when I try to access the function via the configured API Gateway, I receive the following error:

<html>
<head>
    <meta http-equiv="content-type" content="text/html;charset=utf-8">
    <title>403 Forbidden</title>
</head>
<body text=#000000 bgcolor=#ffffff>
    <h1>Error: Forbidden</h1>
    <h2>Your client does not have permission to get URL <code>/ping</code> from this server.</h2>
</body>
</html>

Improve this question

1 Answer 1

Reset to default
0

Your Cloud Function is set to --ingress-settings=internal-and-gclb, which means it only accepts requests from GCP or Google Cloud Load Balancer (GCLB).

API Gateway acts as an external HTTPS client unless it is configured to behave as an authenticated internal client.

  1. You can test by putting --ingress-settings=all, but that makes it public, although API Gateway may still require authentication.

  2. Create a Network Endpoint Group (NEG)/serverless VPC for your cloud function. Configure a load balancer with an internal IP or external HTTPS. Point API Gateway or your API Load Balancer to this NEG/VPC.

Ensure that API Gateway has the appropriate IAM permission (roles/cloudfunctions.invoker) to invoke your function.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.