Troubleshooting adding new principal "allUsers" to Cloud Function Invoker

I created a cloud function but when I trigger the HTTPs I get:

Your client does not have permission to get URL```


I want the function to be executable by anyone and so I try to add a new principal “allUsers” and Cloud function Invoker but the error I get:


```IAM policy update failed
Invalid state 'projects/xxx': The operation failed with precondition error. This is usually because the system is not in a state required for the operation's execution

Request ID: 1403035282898553420```


Any idea?
Thanks

It’s a little brittle b/c Terraform will destroy and re-create the resource but this is what my HCL code looks like to do that

Thanks for getting back. Where do I place that piece of code? Sorry but I’m using chatgpt to get this working - that’s how low my level is…

That’s for terraform. I’d checkout the TF docs for that resource https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service_iam. Also this related resource has some good links on it https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service

I think the salient point is that for a gen2 cloud function, you may need to use Cloud Run Invoker vs Cloud Function Invoker, probably because gen2 CFs sit on top of Cloud Run.

aha. I’m newish to GCP so I just skipped straight to the newest gen and didn’t even make a mental note of there being another version

any idea why I don’t see Cloud Run Invoker?

https://cloud.google.com/iam/docs/understanding-roles#run.invoker

I found it but still error :disappointed:

you’ll have to do what the error message says to resolve