I am using Firebase Authentication blocking functions (Gen-2) with Cloud Run services for: • beforeUserCreated • beforeUserSignedIn
Problem When Cloud Run security is set to Require authentication (IAM), the blocking function calls from Identity Platform fail with:
The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header.
Cloud Run logs show:
status: 403
userAgent: "Google-Firebase"
requestMethod: "POST"
requestUrl: "https://<service-name>-<random>.a.run.app/"
If I switch the Cloud Run service to Allow public access, everything works — but that is not acceptable for production.
What I have tried
- Verified that only the Identity Platform service agent has the roles/run.invoker permission on the Cloud Run services.
- Removed all allUsers or allAuthenticatedUsers bindings.
- Confirmed the functions are Gen-2, deployed successfully, and wired correctly in the Firebase Console (Authentication → Blocking functions).
- Re-added the blocking triggers multiple times.
- Cleared custom audiences and also tested explicitly setting audiences to match the request host(s) (the a.run.app URL, the project-number URL, and the Cloud Functions URL).
- Cloud Run ingress is set to “All”.
Question:
- Why would Identity Platform’s blocking function invocations reach Cloud Run but fail with 403 “not authenticated,” even though the service agent has roles/run.invoker?
- Are there additional configuration requirements for Gen-2 blocking functions (for example, around expected audiences or service identity) that I might be missing?
Any guidance or examples from others who have this working would be very helpful.
Environment
- Firebase Functions Gen-2 (Node.js)
- Region: Europe
- Identity
- Platform enabled:Email/password sign-up and sign-in flows
