Why doesn't granting 'allAuthenticatedUsers' member the 'Cloud Functions Invoker' role work for google cloud functions?

Question

According to the Google documentation, The \'allAuthenticatedUsers\' member would include anybody that is authenticated included regular gmail accounts. So I gave that member th

Answer 1

You can apply this role on a single function.

If you want to secure all your resources on your project, I mean, if you don't want to allow allUsers on GCP resources like Function, Cloud Run, Storage (...), you can activate the Domain Restriction Sharing Policy (DRS). With it, allUsers is forbidden.

Answer 2

You should not apply the allUsers and allAuthenticatedUsers on the project-level according to the Cloud Functions Docs (see the note in "Controlling access on all functions in a project"). Can you try to apply this to that single function you want to protect?

Answer 3

Correct Answer

Credit goes to John Hanley. I needed to use the id_token instead of my access_token in the bearer token authorization header.

I'm not sure how to mark this question as answered. I couldn't accept the comment, nor could I accept my own answer. My object is to help others who are having the same question by Marking this question as answered but I cannot do it. Weird!

Please Mark the answer as correct if you can.