授予GCP云功能(CF)以便只能从另一个CF调用的正确权限是什么? [英] What is the correct Permission to give GCP Cloud Function (CF) so that it's callable ONLY from another CF?

问题描述

我需要一个云功能(CF)来调用另一个受保护的CF.受保护，意味着只能由其他CF调用，不能从Internet调用.

I need one cloud function (CF) to invoke another CF that is protected. Protected meaning it can only be invoked by other CFs but not from Internet.

受保护的CF: 创建此文件时，我禁用了允许未经身份验证的调用". 现在，我需要赋予此功能正确的角色和权限，以便可以从其他CF对其进行访问.

Protected CF: I disabled the "Allow unauthenticated invocations" when creating this. I now need to give this function the correct Role and Permission so that it can be accessed from other CFs.

我尝试了几乎所有选项，但不断从调用方获取403.

I have tried almost all options but keep getting 403 from the invoker.

有什么想法吗?谢谢！

Any ideas? Thanks!

推荐答案

您可以通过将Cloud Functions Invoker角色授予调用函数身份来指定接收函数接受其他函数的请求. 此处.

You can specify that a receiving function accepts requests from other functions by granting the Cloud Functions Invoker role to the calling function identity. More info on this here.

Cloud Functions在特定身份下运行，具体身份由其运行的服务帐户指定.默认情况下，此服务帐户与App Engine PROJECT_ID@appspot.gserviceaccount.com的帐户相同.因此，通过将调用者角色分配给该服务帐户，您将允许所有其他函数调用此函数.您可能希望为每个功能分配一个不同的身份/服务帐户，以更精细的方式指定访问权限. 此处.

Cloud Functions run under a specific identity, given by the service account they run under. By default, this service account is the same as for App Engine, PROJECT_ID@appspot.gserviceaccount.com. So by giving the invoker role to this service account, you'll allow all your other functions to call this function. You may want to give a different identity/service account to each of your functions to specify access permissions in a more granular way. More info on this here.

这篇关于授予GCP云功能(CF)以便只能从另一个CF调用的正确权限是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！