问题描述
我已经成功部署了Cloud Function,它对某些数据进行了一些基本的预处理并将其上传到gSheet.
现在,触发器url接受外部未经身份验证的调用,从而有可能产生大量账单的风险,以防url落入错误的人之手.
I have successfully deployed a Cloud Function that does some basic pre-processing to some data and uploads it to gSheet.
Now, the trigger url accepts external unauthenticated invocations, leading to the risk of excessive bills in case the url ends up in the wrong hands.
我想知道是否有任何方法可以限制对IAM中Cloud Scheduler的调用,从而完全阻止对服务的外部调用.
仔细阅读看来,在请求中包含一些标头并在函数中进行检查可能是实施真正基本身份验证的基本方法.
I am wondering if there's any way to restrict invocation to Cloud Scheduler in IAM, preventing external calls to the service altoghether.
Reading around it seems that including some header in the request and checking for it in the function could be a rudimental way to enforce really basic authenthication.
推荐答案
要防止外部未加密调用,可以将函数设置为private.非常容易做到,使用--no-allow-unauthenticated
参数
For preventing, external uneuthenticated call, you can set you function private. Very easy to do, deploy it with the --no-allow-unauthenticated
param
gcloud functions deploy my-function --no-allow-unauthenticated --trigger... -- region... --runtime...
但是现在,调度程序无法调用它.现在您必须执行两件事
But now, the scheduler can't call it. Now you have to perform 2 things
- 创建具有正确角色的服务帐户.您可以通过GUI或命令行进行操作
# Create the service account
gcloud iam service-accounts create your-service-account-name
# Grant the role for calling the function
gcloud functions add-iam-policy-binding \
--member=serviceAccount:your-service-account-name@YOUR_PROJECT_ID.iam.gserviceaccount.com \
--role=roles/cloudfunctions.invoker your-function-name
使用GUI,如果您在项目级别授予角色cloudfunctions.invoker
,则您的服务帐户将能够访问项目中的所有功能.在命令行中,我仅将角色授予特定功能.您可以通过控制台进行操作,方法是转到功能列表,选择一个功能(复选框),然后单击show info panel
.在这里,您有一个权限标签
With the GUI, if you grant the role cloudfunctions.invoker
at project level, your service account will be able to access to all function in your project. With my command line, I only grant the role on a specific function. You can do it through the console, by going to the functions list, select a function (check box) and click on show info panel
. Here you have a permission tab
- 然后使用服务帐户创建调度程序
gcloud scheduler jobs create http your-job name --schedule="0 0 * * *" \
--uri=your-function-URI \
--oidc-service-account-email=your-service-account-name@YOUR_PROJECT_ID.iam.gserviceaccount.com
如果不起作用,那是因为您的云调度服务代理未获得使用服务帐户生成令牌的授权.
If it doesn't work, it's because your cloud scheduler service agent isn't authorize to generate token with service account.
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member=serviceAccount:service-[project-number]@gcp-sa-cloudscheduler.iam.gserviceaccount.com \
--role roles/cloudscheduler.serviceAgent
这篇关于限制对Google Cloud Function的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!