1

I am using Firebase Authentication blocking functions (Gen-2) with Cloud Run services for: • beforeUserCreated • beforeUserSignedIn

Problem When Cloud Run security is set to Require authentication (IAM), the blocking function calls from Identity Platform fail with:

The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header.

Cloud Run logs show:

status: 403
userAgent: "Google-Firebase"
requestMethod: "POST"
requestUrl: "https://<service-name>-<random>.a.run.app/"

If I switch the Cloud Run service to Allow public access, everything works — but that is not acceptable for production.

What I have tried

  • Verified that only the Identity Platform service agent has the roles/run.invoker permission on the Cloud Run services.
  • Removed all allUsers or allAuthenticatedUsers bindings.
  • Confirmed the functions are Gen-2, deployed successfully, and wired correctly in the Firebase Console (Authentication → Blocking functions).
  • Re-added the blocking triggers multiple times.
  • Cleared custom audiences and also tested explicitly setting audiences to match the request host(s) (the a.run.app URL, the project-number URL, and the Cloud Functions URL).
  • Cloud Run ingress is set to “All”.

Question:

  • Why would Identity Platform’s blocking function invocations reach Cloud Run but fail with 403 “not authenticated,” even though the service agent has roles/run.invoker?
  • Are there additional configuration requirements for Gen-2 blocking functions (for example, around expected audiences or service identity) that I might be missing?

Any guidance or examples from others who have this working would be very helpful.

Environment

  • Firebase Functions Gen-2 (Node.js)
  • Region: Europe
  • Identity
  • Platform enabled:Email/password sign-up and sign-in flows

0

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.