How to call Google Cloud Run (or Cloud Functions) from Apps Scripts

Here is hot to do it quickly and easily

Published in

Geek Culture

4 min readAug 18, 2021

I struggled how to make an authenticated call from Apps Scripts to Cloud Run even though I had owner rights on the GCP project. This post describes how to do it without reinventing the wheel.

Background reading

Hence, here are the references I used to get this work done. This post by guillaume blaquiere was a good start but it didn’t work completely:

Call Cloud Run from App Script: The easy way

App Script and Cloud Run belong to 2 different worlds at Google, one in Cloud, the other in Workspace. Using both is…

medium.com

This stackoverflow issue also helped me to piece together the puzzle:

Call Google Cloud Functions from App Scripts

Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question. Provide details and share…

stackoverflow.com

FYI, this is a good resource by salmaan rashid on the different GCP tokens used for authentication:

Authenticating using Google OpenID Connect Tokens

More and more Services that _you_ deploy on Google Cloud can have automatic premiter authentication enabled by default…

medium.com

Step by step

Make sure the Apps Script is in the same GCP project as the Cloud Run service. Without that it is pretty much hopeless. Google has manuals explaining how to set the Apps Sritps project here.

Authentication and authorization work on a project level. Apps Scripts creates a hidden GCP project by default. Hence, if you want Apps Scripts to interact with other GCP services, you need to move the Apps Scripts execution to the target GCP project.

2. Enable the OAuth consent screen under APIs & Services in you GCP project

This is a mandatory step and there are many manuals out there describing how to do it. Here is the GCP one. The consent screen allows users with access to a given project to give permission to the OAuth 2.0 client to access services on their behalf. Just select a testing or internal type of app to avoid the verification on behalf of Google as long as this is only for internal purposes of course. Then add your email account to the test-users list.

3. This Apps Scripts function calls a GCP Cloud Run service

CLOUD_RUN_URL="https://cloud-run-base-url";function callCloudRun() {
 // Use the OpenID token inside App Scripts
 const token = ScriptApp.getIdentityToken();var options = {
  'method' : 'get',
  'headers': {'Authorization': 'Bearer ' + token},
 };// call the server
 var response = UrlFetchApp.fetch(CLOUD_RUN_URL + '/hello', options);}

The Cloud Run service will be called using the Apps Scripts OAuth 2.0 client which you can see under APIs &Services > Credentials on GCP:

In the authorization header of the request, the code above puts the OpenID token which decoded looks something like this:

{
 at_hash=xxxxxxx,
 sub=xxxxxxx,
 aud=app-scripts-oauth2.0-client-id.apps.googleusercontent.com,
 email_verified=true,
 iss=https://accounts.google.com,
 hd=example.com,
 exp=1628072693,
 iat=1628069093,
 email=name@example.com
}

It tells the GCP firewall who is making the request and if the token is valid and the user is authorised to access the service or API, it will go through.

4. Edit the Apps Scripts manifest

Apps Scripts has JSON configuration file called appsscripts.json which is normally auto-generated. It is explained how to access it here. Under oauthScopes add the three extra scopes below. They allow a script to access GCP and also to generate the OpenID token mentioned above.

"oauthScopes": [
  ...,
  "https://www.googleapis.com/auth/script.container.ui",
  "https://www.googleapis.com/auth/cloud-platform",
  "openid"
]

5. The last mile is the trickiest!

The final piece came from the official GCP documentation on Cloud Run here.

If you have multiple OAuth client IDs (for example, one each for Android, iOS, and web), you must re-deploy your service(s) after adding each one to ensure the service picks up the change. Similarly, if you delete a client ID, you must re-deploy your service(s) to remove that client ID and deny requests. All client IDs within a project will be accepted.

All I had to do was to redeploy the Cloud Run service! Whenever a Cloud Run service is deployed it stores somehow a snapshot of all the OAuth2.0 client IDs in the particular GCP project. Hence if you first deployed the service and only then you added the Apps Scripts to the GCP project, the service will NOT recognise the new client ID for the Apps Scripts OAuth 2.0 client. You just need to redeploy the service and it works.

Conclusion

The steps above make complete sense when you consider the GCP security model for authentication and authorization. Some may say that it looks complicated but in reality it keeps your info and resources safe.

The same approach should work for Google Cloud Functions as well.

My name is Nik Vaklev and I am the founder of Techccino Ltd. If you are interested in building your own web apps get in touch.