GCP-无法通过身份验证来调用Google Cloud功能 [英] GCP - Unable to authenticate myself to invoke Google Cloud function

问题描述

我有一个名为rad_format_text_v0的云函数.我(andy@onehot.io)有权调用它，如下所示:

I have a cloud function named rad_format_text_v0. I (andy@onehot.io) have permission to invoke it, shown here:

$ gcloud beta functions get-iam-policy rad_format_text_v0
bindings:
- members:
  - allAuthenticatedUsers
  - user:andy@onehot.io
  role: roles/cloudfunctions.invoker
etag: BwWOSfjYxp0=
version: 1

我可以使用gcloud functions call ...

$ gcloud auth list
           Credentialed Accounts
ACTIVE             ACCOUNT
*                  andy@onehot.io

$ gcloud functions call rad_format_text_v0 --data "$(< test.json)"
executionId: 2wm7nrgc0vjo
result: |
  ["REDACTED successful result"]

但是，当我尝试使用另一个HTTP客户端(例如curl)时，即使我传递了身份验证令牌，该客户端也会失败...

However, when I try another HTTP client like curl, it fails even though I'm passing an auth token...

$ curl -i -X POST "https://us-central1-onehot-autocoder.cloudfunctions.net/rad_format_text_v0" -H "Content-Type:application/json" -H "Authorization: bearer $(gcloud auth application-default print-access-token)" --data @test.json
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer error="invalid_token" error_description="The access token could not be verified"
Date: Mon, 22 Jul 2019 19:46:59 GMT
Content-Type: text/html; charset=UTF-8
Server: Google Frontend
Content-Length: 312
Alt-Svc: quic=":443"; ma=2592000; v="46,43,39"

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>401 Unauthorized</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Unauthorized</h1>
<h2>Your client does not have permission to the requested URL <code>/rad_format_text_v0</code>.</h2>
<h2></h2>
</body></html>

我完全按照文档中的说明进行操作.我不知道为什么我的令牌不起作用.

I did exactly as explained in the documentation. I have no idea why my token is not working.

推荐答案

您正在使用gcloud auth application-default print-access-token来获取令牌，并且共享的文档指定您应改为使用gcloud auth print-identity-token命令.

You are using the gcloud auth application-default print-access-token to get the token and the documentation you shared specify that you should use the gcloud auth print-identity-token command instead.

我对其进行了测试，发现无法将print-identity-token用于我的用户帐户.相反，我必须创建一个新的服务帐户并激活它.然后在curl命令中，像下面的示例一样指定服务帐户:

I tested it and I found that I was not able to use the print-identity-token for my user account. Instead I had to create a new service account and activate it. Then in the curl command, I specified the service account like in the example below:

curl -i https://[REGION]-[PROJECT_ID].cloudfunctions.net/[FUNCTION_NAME] -H "Authorization: bearer $(gcloud auth print-identity-token [SERVICE_ACCOUNT] )"

显然，Google Cloud SDK在版本254上的gcloud auth print-identity-token命令有问题，您也可以尝试使用以下命令将其降级:

Apparently the Google Cloud SDK has an issue with the gcloud auth print-identity-token command on version 254, you could also try to downgrade it with the following command:

gcloud components update --version 249.0.0

这篇关于GCP-无法通过身份验证来调用Google Cloud功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！