未使用私有访问权限创建的Google Cloud Function [英] Google Cloud Function not created with Private access
问题描述
我正在使用我的python脚本创建Google Cloud HTTP Function,如下所示:
I'm creating Google Cloud HTTP Function using my python script as follows:
gcloud beta函数部署"+ function_name +" --runtime go111 --trigger-http-内存128 --region"+ cloud_region +" --source"+ function_path +" --service-account"+ my_service_account
gcloud beta functions deploy " + function_name + " --runtime go111 --trigger-http --memory 128 --region " + cloud_region + " --source " + function_path + " --service-account " + my_service_account
允许未经授权的新功能调用 [ExecuteFunctionTest]? (是/否)? N
Allow unauthenticated invocations of new function [ExecuteFunctionTest]? (y/N)? N
警告:使用默认IAM策略创建的函数.启用 未经授权的访问请考虑"gcloud alpha功能 add-iam-policy-binding function_name --region = us-central1 --member = allUsers --role = roles/cloudfunctions.invoker"
WARNING: Function created with default IAM policy. To enable unauthorized access consider "gcloud alpha functions add-iam-policy-binding function_name --region=us-central1 --member=allUsers --role=roles/cloudfunctions.invoker"
那么当我这样做的时候:
Then when I do:
gcloud beta函数get-iam-policy function_name
gcloud beta functions get-iam-policy function_name
我得到以下输出:
bindings:
- members:
- allUsers
role: roles/cloudfunctions.invoker
etag: BwWOGyVdpDg=
version: 1
为什么"allUsers"是这里的成员?
Why is 'allUsers' a member here?
文档 https://cloud.google.com/functions/docs/securing /authenticating 和 https://cloud.google.com/functions /docs/securing/managing-access 表示:
所有云功能都是私有部署的,这意味着 不提供身份验证就无法访问它们 请求中的凭据.
all Cloud Functions are deployed privately, which means that they can't be accessed without providing authentication credentials in the request.
默认情况下,HTTP函数只能由项目所有者调用, 编辑,以及Cloud Functions管理员和开发人员.
By default, HTTP Functions are only callable by project owners, editors, and Cloud Functions Admins and Developers.
但是我可以使用简单的curl命令或Postman客户端访问Cloud Function URL,而无需来自项目外部的任何凭据.
But I'm able to access the Cloud Function URL using a simple curl command or Postman client without any credentials from outside the project.
是什么原因导致Cloud Function具有"allUsers"成员并可以公开访问?
What could be causing the Cloud Function to have the 'allUsers' member and be Publicly accessible?
推荐答案
您可以使用下一条命令设置访问权限
You can set access with the next command
https://cloud.google .com/sdk/gcloud/reference/alpha/functions/add-iam-policy-binding
并删除下一个的所有用户
and remove allUsers with the next one
https://cloud.google .com/sdk/gcloud/reference/alpha/functions/remove-iam-policy-binding
示例: gcloud alpha函数add-iam-policy-binding function_name --region = us-central1 --member = user:your.email@gmail.com --role = roles/cloudfunctions.invoker
example: gcloud alpha functions add-iam-policy-binding function_name --region=us-central1 --member=user:your.email@gmail.com --role=roles/cloudfunctions.invoker
gcloud alpha函数remove-iam-policy-binding function_name --region = us-central1 --member = allUsers --role = roles/cloudfunctions.invoker
gcloud alpha functions remove-iam-policy-binding function_name --region=us-central1 --member=allUsers --role=roles/cloudfunctions.invoker
这篇关于未使用私有访问权限创建的Google Cloud Function的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!