<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Invoke Function in Google Cloud Functions Causes a "403 Forbidden" Error
Aug 20, 2025
Workflows
Okta Classic Engine
Okta Identity Engine
Overview

When trying to run the Invoke Function action in the Google Cloud Functions connector, the following error is received:

 

 403 Forbidden

 

Here is more of what the full error may look like:

{ "flo": "googlecloudfunctions:0.0.68:invokeFunction",  "method": "ls9xa1zV4YrV",  "execution": "b4599b1c-f3db-4729-a1ff-93e295e8faf9",  "module": "control.spawn",  "kind": "HTTP Request Error",  "statusCode": 403,  "headers": {    "content-length": "305",    "alt-svc": "h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"",    "www-authenticate": "Bearer error="insufficient_scope"",    "server": "Google Frontend",    "content-type": "text/html; charset=UTF-8",    "date": "Tue, 30 Jun 2020 14:24:43 GMT"  },  "body": "\n<html><head>\n<meta http-equiv="content-type" content="text/html;charset=utf-8">\n<title>403 Forbidden</title>\n</head>\n<body text=#000000 bgcolor=#ffffff>\n<h1>Error: Forbidden</h1>\n<h2>Your client does not have permission to get URL <code>/function-1</code> from this server.</h2>\n<h2></h2>\n</body></html>


The 403 error may also occur when attempting to create the Google Cloud Functions connection. Here is more of what the full error may look like, where {projectName} is the name of the GCP project:

{
    "error": {
        "code": 403,
        "message": "Permission 'cloudfunctions.locations.list' denied on resource 'projects/{projectName}' (or resource may not exist).",
        "status": "PERMISSION_DENIED"
    }
}

Applies To
  • Okta Workflows
  • Google Cloud Functions connector
Cause
Insufficient permissions on either of the two accounts that the connector needs to utilize to invoke a function or create the connection.
Solution
Verify that the permissions in the GCP project match the below minimums:


  1. 

    The Google account that is used to connect Workflows to GCP (the one that is used to sign in from the Workflows connection creation screen):
    

    • 

      Cloud Functions Viewer (provides cloudfunctions.locations.list permission needed to create the connection)
      

    • 

      Service Account Token Creator
      

    

  2. 

    GCP Project Cloud Function service account (can be found in the Edit menu for the function):
    

    • 

      Cloud Functions Invoker
      

    

Recommended content
Still looking for help?
Loading
Invoke Function in Google Cloud Functions Causes a "403 Forbidden" Error