面对使用oidcToken从云任务调用云功能的挑战 [英] Facing challenge to invoke cloud Function from cloud task using oidcToken
问题描述
我面临使用 oidcToken 从云任务调用云功能的挑战.
I am facing challenge to invoke cloud Function from cloud task using oidcToken.
以下是我的IAM&代码:
Here are details of my IAM & Code:
const { CloudTasksClient } = require('@google-cloud/tasks');
const client = new CloudTasksClient();
//See https://cloud.google.com/tasks/docs/tutorial-gcf
module.exports = async (payload, scheduleTimeInSec) => {
const project = process.env.GOOGLE_APPLICATION_PROJECTID;
const queue = process.env.QUEUE_NAME;
const location = process.env.QUEUE_LOCATION;
const callBackUrl = https://asia-south2-trial-288318.cloudfunctions.net/cloud-function-node-expres/;
// Construct the fully qualified queue name.
const parent = client.queuePath(project, location, queue);
const body = Buffer.from(JSON.stringify(payload)).toString('base64');
const task = {
httpRequest: {
httpMethod: 'POST',
url: callBackUrl,
headers: { 'Content-Type': 'application/json' },
body
},
scheduleTime: {
seconds: scheduleTimeInSec,
}
};
if (process.env.GOOGLE_APPLICATION_SERVICE_ACCOUNT_EMAIL) {
task.httpRequest.oidcToken = {
serviceAccountEmail: process.env.GOOGLE_APPLICATION_SERVICE_ACCOUNT_EMAIL
}
}
const request = {
parent: parent,
task: task,
};
// Send create task request.
try {
let [responses] = await client.createTask(request);
return ({ sts: true, taskName: responses.name, msg: "Email Schedule Task Created" })
}
catch (e) {
return ({ sts: true, err: true, errInfo: e, msg: "Unable to Schedule Task. Internal Error." })
}
}
process.env.GOOGLE_APPLICATION_SERVICE_ACCOUNT_EMAIL具有 Cloud Functions Invoker 角色,并且Cloud Function具有 allAuthenticatedUsers 成员,且具有 Cloud Functions Invoker 角色文档.
The process.env.GOOGLE_APPLICATION_SERVICE_ACCOUNT_EMAIL has Cloud Functions Invoker role and the Cloud Function has allAuthenticatedUsers member with role Cloud Functions Invoker as per the doc.
但是我仍然看到Cloud Task取消了401处置,并且Cloud Function没有被调用(见下图):
But still I am seeing the 401 resposnse recevied by Cloud Task and Cloud Function is not getting called(See below image):
对此有何评论,这里出了什么问题
Any comment on this, whats going wrong here
推荐答案
这似乎与您在Firebase中创建功能(从URL猜测)有关.似乎是云功能调用程序"不足以用于Firebase功能.我已经从Firebase在HelloWorld函数上复制了类似的行为.该错误是differentnet(403),但我希望它可以帮助您以相同的方式进行故障排除.
This seems to be related that you have created the function in Firebase (guessing from the url). Seems the "Cloud Functions Invoker" is not enough for Firebase functions. I have replicated similar behavior on HelloWorld function from Firebase. The error is differnet (403) but I hope it will help you to troubleshoot the same way.
在Firebase中创建helloWorld之后,我在以下步骤中使用glcoud
命令对其进行了测试:
After creation helloWorld in Firebase I tested it with glcoud
command in following steps:
- 创建具有角色"Cloud Functions Invoker"的服务帐户;或使用退出的
- 下载帐户的JSON密钥.
- 更改
gcloud
以充当服务帐户:
- Create service acount with role "Cloud Functions Invoker" or use exiting one
- Download key for the account in JSON.
- Change
gcloud
to act as service account:
gcloud auth activate-service-account <service-account@email> --key-file=<key-form-step-2.json>
-
gcloud functions call helloWorld
由于上一个操作的结果,我收到此错误:
As the result of last action I got this error:
ERROR: (gcloud.functions.call) ResponseError: status=[403], code=[Forbidden], message=[Permission 'cloudfunctions.functions.call' denied on resource 'projects/functions-asia-test-vitooh/locations/us-central1/functions/helloWorld' (or reso
urce may not exist).]
因此,我在IAM中创建了自定义角色: Cloud Functions Invoker + Firebase 从错误消息cloudfunctions.functions.call
添加权限.
So I created custom role in IAM: Cloud Functions Invoker + Firebase adding permission from the error massage cloudfunctions.functions.call
.
该功能开始使用相同的gcloud functions call
:
The function started to work with the same gcloud functions call
:
executionId: 3fgndpolu981
result: Hello from Firebase!
我认为它也会起作用.您可以尝试添加相同的权限.如果不起作用,请尝试相同的测试.
I think it will work as well. You can try add the same permission. If it wont work, try the same testing.
参考:
- gcloud auth command
- create custom role in Cloud IAM
- gcloud function call
这篇关于面对使用oidcToken从云任务调用云功能的挑战的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!