授予GCP云功能(CF)以便只能从另一个CF调用的正确权限是什么? [英] What is the correct Permission to give GCP Cloud Function (CF) so that it's callable ONLY from another CF?
问题描述
我需要一个云功能(CF)来调用另一个受保护的CF.受保护,意味着只能由其他CF调用,不能从Internet调用.
I need one cloud function (CF) to invoke another CF that is protected. Protected meaning it can only be invoked by other CFs but not from Internet.
受保护的CF: 创建此文件时,我禁用了允许未经身份验证的调用". 现在,我需要赋予此功能正确的角色和权限,以便可以从其他CF对其进行访问.
Protected CF: I disabled the "Allow unauthenticated invocations" when creating this. I now need to give this function the correct Role and Permission so that it can be accessed from other CFs.
我尝试了几乎所有选项,但不断从调用方获取403.
I have tried almost all options but keep getting 403 from the invoker.
有什么想法吗?谢谢!
Any ideas? Thanks!
推荐答案
您可以通过将Cloud Functions Invoker角色授予调用函数身份来指定接收函数接受其他函数的请求. 此处.
You can specify that a receiving function accepts requests from other functions by granting the Cloud Functions Invoker role to the calling function identity. More info on this here.
Cloud Functions在特定身份下运行,具体身份由其运行的服务帐户指定.默认情况下,此服务帐户与App Engine PROJECT_ID@appspot.gserviceaccount.com
的帐户相同.因此,通过将调用者角色分配给该服务帐户,您将允许所有其他函数调用此函数.您可能希望为每个功能分配一个不同的身份/服务帐户,以更精细的方式指定访问权限. 此处.
Cloud Functions run under a specific identity, given by the service account they run under. By default, this service account is the same as for App Engine, PROJECT_ID@appspot.gserviceaccount.com
. So by giving the invoker role to this service account, you'll allow all your other functions to call this function. You may want to give a different identity/service account to each of your functions to specify access permissions in a more granular way. More info on this here.
这篇关于授予GCP云功能(CF)以便只能从另一个CF调用的正确权限是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!