GCP Functions gen2 “You must assign the Invoker role”

huangapple go评论75阅读模式
英文:

GCP Functions gen2 "You must assign the Invoker role"

问题

我想部署一个可以通过HTTP由所有人调用的云函数。

这是我的部署脚本:

gcloud functions deploy <MYFUNCTION> --runtime nodejs18 --gen2 --trigger-http --region=europe-west1 --allow-unauthenticated --project=<MYPROJECT> --set-env-vars NODE_ENV=production

但是我收到了这个警告:

警告:如果您想允许函数从其他主体或IAM中的其他授予机构接收请求,必须通过Cloud Run为第二代函数分配Invoker角色(roles/run.invoker)。注意:如果您想实现将Cloud Functions的“Admin”或“Developer”角色分配给第一代函数的等效操作,您需要为第二代函数分配Cloud Functions的“Admin”或“Developer”角色,并将“Cloud Run Invoker”分配给Cloud Run服务。

我做错了什么?

注意,我对GCP和IAM不熟悉。

英文:

I want to deploy a cloud function that can be called by everyone via http.

This is my deploy script:

gcloud functions deploy &lt;MYFUNCTION&gt; --runtime nodejs18 --gen2 --trigger-http --region=europe-west1 --allow-unauthenticated --project=&lt;MYPROJECT&gt; --set-env-vars NODE_ENV=production

But I get this warning:

> Warning: You must assign the Invoker role (roles/run.invoker) through
> Cloud Run for 2nd gen functions if you want to allow the function to
> receive requests from additional principals or other given authorities
> in IAM. Note: if you want to achieve the equivalent of assigning the
> Cloud Functions "Admin" or "Developer" role to a 1st gen function, you
> need to assign Cloud Functions "Admin" or "Developer" to the 2nd gen
> function and assign "Cloud Run Invoker" to the Cloud Run service.

What am I doing wrong?

Note, I am new to GCP and IAM.

GCP Functions gen2 “You must assign the Invoker role”

答案1

得分: 1

根据用于调用的身份验证

用于访问云函数的用户帐户分配了包含cloudfunctions.functions.invoke权限的角色。默认情况下,云函数的AdminDeveloper角色具有此权限。

您需要将适当的调用者角色授予接收函数上的调用函数的服务帐户。

云函数(第一代): 对于第一代函数,请运行以下命令,调用者角色是云函数调用者(roles/cloudfunctions.invoker

gcloud functions add-iam-policy-binding RECEIVING_FUNCTION \
  --member='serviceAccount:CALLING_FUNCTION_IDENTITY' \
  --role='roles/cloudfunctions.invoker'

云函数(第二代): 对于第二代函数,请运行以下命令,调用者角色是Cloud Run调用者(roles/run.invoker),必须授予在底层服务上。

gcloud functions add-invoker-policy-binding RECEIVING_FUNCTION \
  --member='serviceAccount:CALLING_FUNCTION_IDENTITY'

其中RECEIVING_FUNCTION是接收函数的名称,CALLING_FUNCTION_IDENTITY是调用函数的标识,即服务帐户电子邮件。

还请参考个别服务上的IAM控制访问以获取更多详细信息。

您可以通过将特殊的allUsers成员类型添加到服务并授予roles/run.invoker角色来使服务公开可访问:

gcloud run services add-iam-policy-binding [SERVICE_NAME] \
    --member="allUsers" \
    --role="roles/run.invoker"

此外,当您使用gcloud run deploy命令部署服务时,可以指定是否将服务公开可访问:

gcloud run deploy [SERVICE_NAME] ... --allow-unauthenticated
英文:

As per Authenticating for invocation;

> The user account you are using to access Cloud Functions assigned a
> role that contains the cloudfunctions.functions.invoke permission.
> By default, the Cloud Functions Admin and
> Developer roles have this permission.
>
> You need to grant the appropriate invoker role to the calling
> function's service account on the receiving function.
>
> Cloud Functions (1st gen): Run the below command for 1st gen
> functions, the invoker role is Cloud Functions Invoker
> (roles/cloudfunctions.invoker)
>
> gcloud functions add-iam-policy-binding RECEIVING_FUNCTION
> --member='serviceAccount:CALLING_FUNCTION_IDENTITY'
> --role='roles/cloudfunctions.invoker'
>
> Cloud Functions (2nd gen): Run the below command for 2nd gen functions, the invoker
> role is Cloud Run Invoker (roles/run.invoker) and must be granted on
> the underlying service.
>
> gcloud functions add-invoker-policy-binding RECEIVING_FUNCTION
> --member='serviceAccount:CALLING_FUNCTION_IDENTITY'
>
> where RECEIVING_FUNCTION is the name of the receiving function and
> CALLING_FUNCTION_IDENTITY is the calling function identity, a service
> account email.

Also refer to IAM Control access on an individual service for more details.

> You can make a service publicly accessible by adding the special
> allUsers member type to a service and granting it the
> roles/run.invoker role:
>
> gcloud run services add-iam-policy-binding [SERVICE_NAME]
> --member="allUsers"
> --role="roles/run.invoker"
>Additionally, when you deploy your service with the gcloud run deploy command, you can specify whether or
> not to make your service publicly accessible:
>
> gcloud run deploy [SERVICE_NAME] ... --allow-unauthenticated

huangapple
  • 本文由 发表于 2023年3月12日 14:45:42
  • 转载请务必保留本文链接:https://go.coder-hub.com/75711486.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定