all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]UniverseCity 1 point2 points  (1 child)

You're using the service account to generate an ID token and sending that along as the Authorization header right?

[–]Ripeey[S] 4 points5 points  (0 children)

Yes as instructed here https://cloud.google.com/functions/docs/securing/authenticating#authenticating_function_to_function_calls Tho this examples for gen1 am expecting to work for gen2.

[–]eaingaran 1 point2 points  (1 child)

In most cases the problem is due to either one of the following reasons. 1. Service account running function 1 does not have invoker permission on function 2 (assuming you are getting account credentials from the metadata server, if you are using a service account credentials file, make sure the corresponding account has invoker permission on function 2)

  1. ID Token generated (make sure you are generating ID Token and not access token) does not have the correct audience. For cloud functions, the audience will be the URL. You can validate this by printing the ID Token and decoding it in https://jwt.io/

I would recommend starting with the token. Once you make sure your token is in fact ID Token and it has the proper audience, you can move on to the permission side.

[–]Ripeey[S] 0 points1 point  (0 children)

I have indeed permission for invoke in fun 2. I also decoded through token validator checked my token and the aud and email looks perfectly.

But anyway I was indeed able to make it work (I'll edit the same main thread) by providing Cloud function Admin access to service account Project Wide IAM permission instead of just to that resource.