如何通过身份验证从 Cloud Scheduler 调用 Cloud Function [英] How to invoke Cloud Function from Cloud Scheduler with Authentication
问题描述
我到处寻找,似乎人们要么使用 pubsub、应用程序引擎 http 或没有身份验证的 http.没有太多人展示他们通过带有 oidc 令牌的身份验证访问功能以访问谷歌功能的工作.
I've looked everywhere and it seems people either use pubsub, app engine http or http with no auth. Not too many people out there showing their work for accessing functions via authentication w/ oidc tokens to access google functions.
我检查了:无法从 GCP 调度程序调用 Google Cloud Function 但似乎没有任何效果.
I checked out: Cannot invoke Google Cloud Function from GCP Scheduler but nothing seemed to work.
我遵循的文档:https://cloud.google.com/scheduler/docs/http-target-auth#using-gcloud_1
- 创建了一个新的服务帐号
- 设置角色(云调度服务代理/云功能服务代理/云调度管理员/云功能调用者...甚至尝试所有者!)
- 部署了不允许公共(未经身份验证)访问的谷歌函数(一个简单的 helloworld 函数)
- 在云调度程序上设置 cron 作业,使用以下配置针对新部署的函数每分钟运行一次:
- url = helloworld 函数
- oidc 令牌
- 新创建的服务帐号
- audience 设置为 hello world 函数 url
云调度程序日志的结果:
outcome on cloud scheduler logs:
Expand all | Collapse all{
httpRequest: {
}
insertId: "ibboa4fg7l1s9"
jsonPayload: {
@type: "type.googleapis.com/google.cloud.scheduler.logging.AttemptFinished"
jobName: "projects/project/locations/region/jobs/tester"
status: "PERMISSION_DENIED"
targetType: "HTTP"
url: "https://region-project.cloudfunctions.net/tester"
}
logName: "projects/project/logs/cloudscheduler.googleapis.com%2Fexecutions"
receiveTimestamp: "2020-04-15T17:50:14.287689800Z"
resource: {…}
severity: "ERROR"
timestamp: "2020-04-15T17:50:14.287689800Z"
我看到一个解决方案显示有人创建了一个新项目以使其工作,还有其他解决方案吗??
I saw one solution that showed someone creating a new project to get to this to work, are there any others??
感谢提供的任何帮助.
更新
新的 Google 函数 - 在中央运行(与我的应用引擎应用相同)
实际修复
如果您缺少 cloudscheduler 服务帐号(例如:service-1231231231412@gcp-sa-cloudscheduler.iam.gserviceaccount.com)Http auth 任务不起作用.要修复,我必须禁用 api 并重新启用它,它给了我服务帐户,我没有使用此服务帐户,但这是我这样做后唯一改变的因素.
If you're missing the cloudscheduler service account (ex: service-1231231231412@gcp-sa-cloudscheduler.iam.gserviceaccount.com) Http auth tasks wont work. To fix, I had to disable api and renable and it gave me the service account, I didnt use this service account but, that was the only changing factor after I did this to make it work.
推荐答案
这些是您必须采取的确切步骤.确保不要跳过第二步,它会设置服务帐户的调用者权限,以便调度程序能够使用该服务帐户的 OIDC 信息调用 HTTP 云函数.注意:为简单起见,我在这里选择默认服务帐户,但是,为此目的创建一个具有较少权限的单独服务帐户是明智的.
These are the exact steps you have to take. Be sure not to skip the second step, it sets invoker permissions on the service account so that the scheduler is able to invoke the HTTP Cloud Function with that service account's OIDC information. Note: for simplicity, I choose the default service account here, however, it would be wise to create a separate service account for this purpose with less privileges.
# Create cloud function
gcloud functions deploy my_function
--entry-point=my_entrypoint
--runtime=python37
--trigger-http
--region=europe-west1
--project=${PROJECT_ID}
# Set invoke permissions
gcloud functions add-iam-policy-binding my_function
--region=europe-west1
--member=serviceAccount:${PROJECT_ID}@appspot.gserviceaccount.com
--role="roles/cloudfunctions.invoker"
--project=${PROJECT_ID}
# Deploy scheduler
gcloud scheduler jobs create http my_job
--schedule="every 60 minutes"
--uri="https://europe-west1-${PROJECT_ID}.cloudfunctions.net/my_function/"
--http-method=POST
--oidc-service-account-email="${PROJECT_ID}@appspot.gserviceaccount.com"
--oidc-token-audience="https://europe-west1-${PROJECT_ID}.cloudfunctions.net/my_function"
--project=${PROJECT_ID}
这篇关于如何通过身份验证从 Cloud Scheduler 调用 Cloud Function的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
