有没有办法为我的Google Cloud Functions HTTP端点创建防火墙规则? [英] Is there a way to create firewall rules for my Google Cloud Functions HTTP endpoints?
问题描述
只想检查一下这是否已经存在,我只是错过了这些.在为重要项目构建功能时,由于多种原因(安全性,如果垃圾邮件导致突然收费,请避免高昂的价格),我想应用一些防火墙规则来限制某些Google Cloud Functions(HTTP端点触发器)的网络访问请求等)
Just wanted to check if this is in the roadmap of already available and I have just missed these. While building my Functions for an important project, I want to apply some firewall rules to limit network access for some of my Google Cloud Functions (HTTP endpoint triggers) because of reasons that are manifold (security, avoid high price if sudden charge caused by spammy requests, etc.)
这是可用的还是正在准备中?如果没有,您将如何限制对特定功能的访问,以仅允许几个Google Compute Engine,其他GCF和其他Google Cloud Services(Firestore,Storage,PubSub).
Is this available or in the pipeline? If not, how would you limit access to a particular function to only allow a few Google Compute Engines, other GCF, and other Google Cloud Services (Firestore, Storage, PubSub.)
推荐答案
除了防火墙规则之外,您还需要查看的是使用访问令牌验证对Cloud Functions的请求.
More than firewall rules what you should be looking at is to authenticate your requests to your Cloud Functions with Access Tokens.
基本上,您将创建一个HTTP触发的Cloud Function.
Basically you will be creating an HTTP triggered Cloud Function.
首先创建一个存储桶,我的存储桶称为 auth-123 .然后放到Cloud Shell中,并将项目名称和存储桶定义为环境变量:
First create a bucket, mine is called auth-123 .Then drop to a Cloud shell and define the project name and the bucket as environment variables:
jordim@yrmv-191108:~$ export BUCKET=auth-123
jordim@yrmv-191108:~$ export PROJECT=yrmv-191108
创建几个服务帐户
jordim@yrmv-191108:~$ gcloud iam service-accounts create alpha-account --
display-name "Account 1"
jordim@yrmv-191108:~$ gcloud iam service-accounts create beta-account --display-name "Account 2"
Created service account [beta-account].
现在创建函数!首先在您的Cloud Shell上的文件夹中创建具有以下依赖项的package.json:
Now to create the function! On a folder on your cloud shell create first a package.json with the dependencies:
jordim@yrmv-191108:~/cloudfunction$ cat > package.json
{
"dependencies": {
"googleapis": "21.2"
}
}
现在函数本身:
const Google = require('googleapis');
const BUCKET = 'auth-123'; // Replace with name of your bucket
/**
* Cloud Function.
*
* @param {Object} req Cloud Function request context.
* @param {Object} res Cloud Function response context.
*/
exports.secureFunction = function secureFunction(req, res) {
var accessToken = getAccessToken(req.get('Authorization'));
var oauth = new Google.auth.OAuth2();
oauth.setCredentials({access_token: accessToken});
var permission = 'storage.buckets.get';
var gcs = Google.storage('v1');
gcs.buckets.testIamPermissions(
{bucket: BUCKET, permissions: [permission], auth: oauth}, {},
function (err, response) {
if (response && response['permissions'] && response['permissions'].includes(permission)) {
authorized(res);
} else {
res.status(403).send("The request is forbidden.");
}
});
function authorized(res) {
res.send("The request was successfully authorized.");
// The code to execute goes here! :)
}
}
function getAccessToken(header) {
if (header) {
var match = header.match(/^Bearer\s+([^\s]+)$/); //We are looking for an HTTP request with the content Bearer: + a token
if (match) {
return match[1];
}
}
return null;
}
在这种情况下,我们正在检查启动请求的帐户是否具有权限storage.buckets.get,但是可以通过更改变量权限将其更改为任何其他权限.
In this case we are checking that the account launching the request has the permission storage.buckets.get, but it can be changed to any other just by changing the the variable permission.
然后部署功能:
jordim@yrmv-191108:~/cloudfunction$ gcloud beta functions deploy secureFunction --stage-bucket $BUCKET --trigger-http
现在,您具有云功能,仅当它接收到来自授权帐户的请求时,才触发其内容.让我们为之前创建的帐户创建令牌:
Now you have a cloud function that only triggers its content if it receives a request from an authorized account. Let's make tokens for the accounts we created before:
jordim@yrmv-191108:~/cloudfunction$ gcloud iam service-accounts keys create --iam-account alpha-account@$PROJECT.iam.gserviceaccount.com ./alpha-account.json
jordim@yrmv-191108:~/cloudfunction$ export ALPHA_ACCOUNT_TOKEN=$(GOOGLE_APPLICATION_CREDENTIALS=./alpha-account.json gcloud auth application-default print-access-token)
jordim@yrmv-191108:~/cloudfunction$ gcloud iam service-accounts keys create --iam-account beta-account@$PROJECT.iam.gserviceaccount.com ./beta-account.json
created key [4a9251d7611e74da8b4565657b52b7c940606630] of type [json] as [./beta-account.json] for [beta-account@yrmv-191108.iam.gserviceaccount.com]
jordim@yrmv-191108:~/cloudfunction$ export BETA_ACCOUNT_TOKEN=$(GOOGLE_APPLICATION_CREDENTIALS=./beta-account.json gcloud auth application-default print-access-token)
我们现在将auth令牌放在json上,并且还将它们导出为env var以便于测试.让我们将权限授予ALPHA用户,而不是将其授予BETA用户:
We have the auth tokens on a json now and also exported them as an env var for easy testing. Let's give permission to ALPHA user and not give it to BETA user:
jordim@yrmv-191108:~/cloudfunction$ gsutil acl ch -u alpha-account@$PROJECT.iam.gserviceaccount.com:R gs://auth-123
现在要测试:
jordim@yrmv-191108:~/cloudfunction$ curl https://us-central1-yrmv-191108.cloudfunctions.net/secureFunction -H "Authorization: Bearer $ALPHA_ACCOUNT_TOKEN"
The request was successfully authorized.
jordim@yrmv-191108:~/cloudfunction$ curl https://us-central1-yrmv-191108.cloudfunctions.net/secureFunction -H "Authorization: Bearer $BETA_ACCOUNT_TOKEN"
The request is forbidden
您可以将此逻辑应用于您的任何云函数,并且除非请求的标头上带有有效令牌,否则用于拒绝该请求的资源量将是最小的.
You can apply this logic to any of your cloud functions, and unless the request comes with a valid token on its header the amount of resources used for rejecting it is minimal.
这篇关于有没有办法为我的Google Cloud Functions HTTP端点创建防火墙规则?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
