cloud functions extension callout throwing forbidden issue even though having full access,apigee cloudfunction integration issue.

Hi,

I am trying to invoke the cloud function from the apigee. I am still getting the following error

Your client does not have permission to get URL /uri from this server.

These are steps i have followed.

1. Deployed the cloud function

2. Removed the allUsers iam policy

3. Added the default service account i am policy to cloud function

4. created the key.json using the gcloud command

5. created the cloud function extension in the apigee with the credentials created above step. Note default user has project editor permission.

6. Added the extension callout policy in the proxy preflow. (followed according to the document)

7. Added the assign message policy in the target post flow.

Can any one guide me what i am doing wrong. And also need resources with example images. No where in the document i found example with video or images. Its pretty difficult for developers to understand.

,

0 6 309
6 REPLIES 6

When you added your service account to your cloud function, what role did you use? Have you tried accessing your cloud function using the service account outside of Apigee?

Also, I'm not sure if you've seen a guide i've previously written on this. I'm not sure if the remove allusers is still required as this may have more recently changed on the Google Cloud Platform

https://community.apigee.com/articles/69821/using-the-cloud-functions-extension-securely.html

Hi,

Yes, I have tested the cloud function using service account outside of the apigee, its working fine. I have given the role as cloudfunctions.invoker. The exact link what you shared i followed it. Let me know if you need more information.

1. Double check you've set the input and action parameters of your extension callout

2. Under admin->Extensions, select your extension and the environment you have deployed it to. You should shortly see some logs here

3. What do you see in trace for the variables of the extension policy?

1. This is my extension callout policy 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ConnectorCallout async="false" continueOnError="true" enabled="true" name="Extension-Callout-1"> <DisplayName>Extension Callout-1</DisplayName> <Connector>functionintegration</Connector> <Action>invoke</Action> <Input><![CDATA[ { "region" : "us-central1", "projectId" : "****", "functionName" : "apigeetest", "method" : "GET" } ]]></Input> <Output parsed="false">function.response</Output> </ConnectorCallout>

2. This is my assign message policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Get-Function-Response">
    <DisplayName>Get Function Response</DisplayName>
    <AssignTo type="response" createNew="false"/>
    <Set>
        <Payload contentType="application/json">{function.response}</Payload>
    </Set>
</AssignMessage> 

3. In trace i can only see 403 error.

4. Doubts

  • which flow extension callout policy should add? (added in target pre flow)
  • which flow assign message policy should add?(added in target post flow)
  • If i have 10 endpoints in the proxy. How can add all the endpoints in the extension callout policy?

Can you check the logs pertaining to your extension (Under admin->Extensions, select your extension and the environment you have deployed it to. You should shortly see some logs here)

Not applicable

Its very easy to use. The documentations are very easy to understand even if you are new user to the cloud services. It provides access through ssh. The console is user friendly to use. how to register your company on wikipedia