谷歌云功能权限问题 [英] Google cloud function permission problems

问题描述

我在GCP中有两个项目，比如说项目A和B.项目A是新创建的，项目B有两年的历史.当我在项目A中创建云功能时，它是使用默认服务帐户(project @ appspot ...)创建的.但是，当我在项目B上创建云功能时，将使用一个不存在的服务帐户.我知道它不存在，因为它没有出现在IAM中.

I have two projects in GCP, let’s say project A and B. Project A is newly created, and project B is two years old. When I create a cloud function in project A, it’s created with the default services account (project@appspot…). However, when I create a cloud function on project B, a non existing service account is used. I know it doesn’t exist because it doesn’t appear on the IAM.

在项目A中创建的云功能可以访问数据存储，但是，项目B中相同的云功能无法访问数据存储.

In the project A the cloud function created can access the datastore, however, the same cloud function in the project B isn’t able to access the datastore.

所以，我的问题是:

1. 我怎么知道云功能将使用哪个Google Services帐户?

1. How can I know which google services account will be used by a cloud function?

是否可以通过项目B将使用的服务帐户更改为具有访问数据存储区的云功能?

Is there a way to change the used service account by project B to have a cloud function that access the datastore?

我尝试为云功能授予适当的权限，但是只要在项目B中，它就不起作用.我在这里想念什么?

I have tried to give the appropriate permissions to the cloud function, but as long as is in project B it doesn’t work. What am I missing here?

推荐答案

似乎在项目B中需要检查两个不同的帐户.

It seems like there are two different accounts you need to check for in Project B.

首先使用Google API服务帐户.您应该确保它存在并且它具有正确的凭据才能正确使用Cloud Functions.以下是GCP文档中的文档:

First the Google APIs service account. You should make sure it exists and that it has the correct credentials to properly work with Cloud Functions. Below is the documentation from the GCP docs:

对于在创建过程中对项目进行的管理操作，Cloud Functions服务使用的功能的更新或删除Google API服务帐户PROJECT_NUMBER@cloudservices.gserviceaccount.com.默认情况下，服务帐户在您的项目中具有编辑者角色.建立，如果您减少此帐户的数量，则更新和删除功能可能会失败权限.

For administrative actions on your project during the creation, updating, or deletion of functions, the Cloud Functions service uses the Google APIs service account PROJECT_NUMBER@cloudservices.gserviceaccount.com. By default, this service account has the Editor role on your project. Creating, updating, and deleting functions may fail if you reduce this account's permissions.

接下来是运行时服务帐户.根据您所描述的问题，这可能是真正的问题.同样，这里是解释它的文档:

Next is the runtime service account. From the issues you are describing this might be the real issue. Again, here is the documentation explaining it:

在运行时，Cloud Functions使用服务帐户PROJECT_ID@appspot.gserviceaccount.com，其上具有编辑者角色该项目.您可以更改此服务帐户的角色以限制或扩展正在运行的功能的权限.

At runtime, Cloud Functions uses the service account PROJECT_ID@appspot.gserviceaccount.com, which has the Editor role on the project. You can change the roles of this service account to limit or extend the permissions for your running functions.

这篇关于谷歌云功能权限问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！