I have Strapi CMS deployed in Cloud Run and have exposed it via Google Cloud Load Balancer. CMS exposes unauthenticated URL to expose static content. If I hit the Cloud Run URL directly without authentication, it works fine and serves me the content.
Then I configured Google Cloud Load Balancer with backend configuration (via Service Endpoint Group) to Cloud Run instance. COnfiguration is successful. However If i try to hit the CLoud Run URL via Cloud Load Balancer, it is throwing 403 Forbidded error.
If the same cloud load balancer URL is accessed with Authorization header it works fine. I need unauthenticated requests to be made.
Any help will be much appriciated.
403 Forbidden error means the request was not authenticated or does not have permission to get the URL.
To resolve this issue, Following steps might be help :
If the service is meant to be invocable by anyone, update its IAM settings to make the service public.
If the service is meant to be invocable only by certain identities, make sure that you invoke it with the proper authorization token.
If invoked by an end user: Ensure the user has the permissions Cloud Run Admin (roles/run.admin) and Cloud Run Invoker (roles/run.invoker) role.
If invoked by a service account: Ensure the service account has the Cloud Run Invoker (roles/run.invoker) role.
Calls missing an auth token or with an auth token that is of valid format, but the IAM member used to generate the token is missing (run.routes.invoke) permission; this will result in this 403 error.
If the project is within a VPC-SC perimeter, verify that VPC-SC policies are not denying run.googleapis.com/HttpIngress traffic that originates from the caller's IP or identity.
For detailed steps follow official doc HTTP 403: Client is not authorized to invoke/call the service.