如何使用身份验证从Cloud Scheduler调用Cloud Function [英] How to invoke Cloud Function from Cloud Scheduler with Authentication
问题描述
我到处都看过,似乎人们要么使用pubsub,应用程序引擎http或没有身份验证的http.那里没有太多人显示出他们的工作,通过带有oidc令牌的身份验证来访问Google功能的功能.
I've looked everywhere and it seems people either use pubsub, app engine http or http with no auth. Not too many people out there showing their work for accessing functions via authentication w/ oidc tokens to access google functions.
我签出了:无法从GCP Scheduler调用Google Cloud Function ,但似乎没有任何作用.
I checked out: Cannot invoke Google Cloud Function from GCP Scheduler but nothing seemed to work.
我遵循的文档: https://cloud.google.com/scheduler/docs/http-target-auth#using-gcloud_1
- 创建了一个新的服务帐户
- 设置角色(Cloud Scheduler Service代理/Cloud Functions Service代理/Cloud Scheduler Admin/Cloud Functions Invoke ...甚至尝试过 所有者!)
- 已部署的google函数,不允许公共(未经身份验证)访问(简单的helloworld函数) 使用此配置,针对新部署的功能在云调度程序上设置
- cron作业,每分钟运行一次:
- url = helloworld函数
- oidc令牌
- 新创建的服务帐户
- 受众群体设置为hello world function url
- created a new service account
- set roles (Cloud scheduler service agent/Cloud functions service agent/Cloud scheduler admin/cloud functions invoker...even tried owner!)
- deployed google function that doesn't allow public (unauthenticated) access (a simple helloworld function)
- setup cron job on cloud scheduler to run every minute against the new deployed function with this configuration:
- url = helloworld function
- oidc-token
- newly created service account
- audience set to hello world function url
关于云调度程序日志的结果:
outcome on cloud scheduler logs:
Expand all | Collapse all{
httpRequest: {
}
insertId: "ibboa4fg7l1s9"
jsonPayload: {
@type: "type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished"
jobName: "projects/project/locations/region/jobs/tester"
status: "PERMISSION_DENIED"
targetType: "HTTP"
url: "https://region-project.cloudfunctions.net/tester"
}
logName: "projects/project/logs/cloudscheduler.googleapis.com%2Fexecutions"
receiveTimestamp: "2020-04-15T17:50:14.287689800Z"
resource: {…}
severity: "ERROR"
timestamp: "2020-04-15T17:50:14.287689800Z"
我看到了一个解决方案,该解决方案显示有人创建一个新项目来使它起作用,还有其他人吗?
I saw one solution that showed someone creating a new project to get to this to work, are there any others??
感谢提供的任何帮助.
更新
新的Google Function-在中央运行(与我的应用引擎应用相同)
实际修复
如果您缺少cloudscheduler服务帐户(例如: service-1231231231412@gcp-sa-cloudscheduler.iam.gserviceaccount.com) Http身份验证任务将无法正常工作. 为了解决这个问题,我不得不禁用api和renable,这给了我服务帐号, 我没有使用此服务帐户,但这是我执行此操作后唯一的更改因素.
If you're missing the cloudscheduler service account (ex: service-1231231231412@gcp-sa-cloudscheduler.iam.gserviceaccount.com) Http auth tasks wont work. To fix, I had to disable api and renable and it gave me the service account, I didnt use this service account but, that was the only changing factor after I did this to make it work.
推荐答案
1.我创建了一个Clod函数(与我的App Engine应用程序位于同一区域),该函数不允许公共访问
1.I created a clod function (in the same region as my App Engine Application), which does not allow public access
2.我创建了一个具有所有者角色的服务帐户
2.I created a service account with Owner role
3.我创建了云调度程序作业:
3.I created the cloud scheduler job:
url = https://europe-west2-my-project.cloudfunctions .net/my-function
oidc令牌
新创建的服务帐户
观众= https://europe-west2-my-project.cloudfunctions .net/my-function
一切正常.请仔细检查您的设置,因为它可以正常工作.
Everything worked as expected. Please double check your set up because it should work.
这篇关于如何使用身份验证从Cloud Scheduler调用Cloud Function的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
