如何正确获取在AppEngine上运行的NodeJS中的云函数令牌? [英] How to CORRECTLY get token for Cloud Functions in NodeJS running on AppEngine?

问题描述

我在获取用于触发云功能的正确令牌时遇到问题.

I am having problems getting the correct token for triggering my cloud function.

通过POSTMAN测试时，我通过运行以下命令获取令牌:

When testing through POSTMAN I get the token by running the following command:

gcloud auth print-identity-token

我的功能正常工作.

但是在我的服务器上，我正在使用以下代码.我也确实看到了令牌，但使用此令牌获得了401.

But on my server I am using the following code. I also do see the token but I get 401 with this token.

// Constants------------
const metadataServerTokenURL = 'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=';

async function gToken(){
  let token='';
  try{
      // Fetch the token
      const tokenResponse = await fetch(metadataServerTokenURL + 'https://'+process.env.CLOUD_URL, { //URL WITHOUT THE PATH
        headers: {
          'Metadata-Flavor': 'Google',
        },
      });
     token = await tokenResponse.text();
  } catch (err){
    console.log(err);
  }
  return token;
}

---------编辑-------

调用函数:

app.get("/",  async function(req , res){
  try {
    const token = await getToken();
    console.log(`Token: ${token}`);
    const functionResponse = await fetch('https://'+process.env.CLOUD_URL+process.env.PATH_TO_FUNC, {
      method: 'post',
      headers: {
        'Content-Type': 'application/json',
        Authorization: `Bearer ${token}`},
      });
    console.log(`Status: ${await functionResponse.status}`);
    res.sendStatus(200);
  } catch (err){
    console.log(err);
    res.status(400).send('Something went wrong')
  }
})

我的服务器是我在AppEngine上运行的NodeJS代码.请问我在做什么错?

My server is my NodeJS code running on AppEngine. What am I doing wrong please?

----------编辑2 -------------- 我使用两种不同的方式输入了收到的两个令牌，由于某种原因它们显示了不同的信息.请看下面:来自服务器的令牌

----------EDIT 2-------------- I entered the two tokens received using two different ways, they show different information for some reason. Please see below:: Token from the server

在本地使用gcloud命令的令牌(有效)::

Token using gcloud command locally (which works)::

服务器代码和云功能都托管在同一区域中，并且属于同一项目.

Server code and cloud functions are both hosted in the same region, and are a part of the same project.

process.env.CLOUD_URL>"e ****-*** 2-c ******-e ****** 2.cloudfunctions.net"

推荐答案

评论中提到的@Charles和@John是正确的.您应该在受众群体中包括接收函数的名称:

What @Charles and @John mentioned in the comment is correct. You should include the name of the receiving function in the audience:

如 docs 中所述:

在调用功能中，您需要创建一个Google签名的OAuth ID令牌，并将听众(aud)设置为接收功能的网址.

const metadataServerTokenURL = 'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=';
...

// Fetch the token
const tokenResponse = await fetch(metadataServerTokenURL + `https://${process.env.CLOUD_URL}/${FUNCTION_NAME}`, {
  headers: {
    'Metadata-Flavor': 'Google',
  }

受众应该看起来像您的HTTP触发URL.如果您解码JWT ID令牌，则 aud 如下所示:

The audience should look like your HTTP trigger URL. If you decode your JWT ID token, aud looks like this:

{
  "aud": "https://[REGION]-[PROJECT_ID].cloudfunctions.net/func-post",
  "azp": "117513711437850867551",
  "exp": 1614653346,
  "iat": 1614649746,
  "iss": "https://accounts.google.com",
  "sub": "117513711437850867551"
}

这篇关于如何正确获取在AppEngine上运行的NodeJS中的云函数令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！