When deploying functions with gcloud we can use the flag --no-allow-unauthenticated to stop functions from being accessed by anyone.
That flag does not exist for Firebase. For example, this does NOT work:
firebase deploy --only functions --no-allow-unauthenticated
So currently when I deploy a HTTP onRequest Gen 2 Firebase Function it automatically deploys with "Allow unauthenticated" authentication status. This is bad. How do I stop that from happening?
I want to either remove the "Allow unauthenticated" status after deploying, or avoid deploying like that in the first place.
Note: This is for Gen 2 Firebase Functions. I can't find anything applicable to that. With Gen 1 all I have to do is remove "allUsers" role but Gen 2 functions do not have that role and they are still marked as "Allow unauthenticated".
The Firebase CLI can't do it. The default is to allow access because most Firebase developers use Cloud Functions to deploy web APIs that should be accessible publicly as part of their applications.
You can use gcloud to modify the permissions after deployment. The documentation covers adding permissions, with specific instructions for 2nd gen functions. You can remove the permission by using remove-iam-policy-binding instead of add-iam-policy-binding.
gcloud run services remove-iam-policy-binding FUNCTION_NAME \
--member="allUsers" \
--role="roles/run.invoker"