英文:
GCP Functions gen2 "You must assign the Invoker role"
问题
我想部署一个可以通过HTTP由所有人调用的云函数。
这是我的部署脚本:
gcloud functions deploy <MYFUNCTION> --runtime nodejs18 --gen2 --trigger-http --region=europe-west1 --allow-unauthenticated --project=<MYPROJECT> --set-env-vars NODE_ENV=production
但是我收到了这个警告:
警告:如果您想允许函数从其他主体或IAM中的其他授予机构接收请求,必须通过Cloud Run为第二代函数分配Invoker角色(roles/run.invoker)。注意:如果您想实现将Cloud Functions的“Admin”或“Developer”角色分配给第一代函数的等效操作,您需要为第二代函数分配Cloud Functions的“Admin”或“Developer”角色,并将“Cloud Run Invoker”分配给Cloud Run服务。
我做错了什么?
注意,我对GCP和IAM不熟悉。
英文:
I want to deploy a cloud function that can be called by everyone via http.
This is my deploy script:
gcloud functions deploy <MYFUNCTION> --runtime nodejs18 --gen2 --trigger-http --region=europe-west1 --allow-unauthenticated --project=<MYPROJECT> --set-env-vars NODE_ENV=production
But I get this warning:
> Warning: You must assign the Invoker role (roles/run.invoker) through
> Cloud Run for 2nd gen functions if you want to allow the function to
> receive requests from additional principals or other given authorities
> in IAM. Note: if you want to achieve the equivalent of assigning the
> Cloud Functions "Admin" or "Developer" role to a 1st gen function, you
> need to assign Cloud Functions "Admin" or "Developer" to the 2nd gen
> function and assign "Cloud Run Invoker" to the Cloud Run service.
What am I doing wrong?
Note, I am new to GCP and IAM.
答案1
得分: 1
根据用于调用的身份验证;
用于访问云函数的用户帐户分配了包含
cloudfunctions.functions.invoke权限的角色。默认情况下,云函数的Admin和Developer角色具有此权限。
您需要将适当的调用者角色授予接收函数上的调用函数的服务帐户。
云函数(第一代): 对于第一代函数,请运行以下命令,调用者角色是云函数调用者(
roles/cloudfunctions.invoker)
gcloud functions add-iam-policy-binding RECEIVING_FUNCTION \
--member='serviceAccount:CALLING_FUNCTION_IDENTITY' \
--role='roles/cloudfunctions.invoker'
云函数(第二代): 对于第二代函数,请运行以下命令,调用者角色是Cloud Run调用者(
roles/run.invoker),必须授予在底层服务上。
gcloud functions add-invoker-policy-binding RECEIVING_FUNCTION \
--member='serviceAccount:CALLING_FUNCTION_IDENTITY'
其中RECEIVING_FUNCTION是接收函数的名称,CALLING_FUNCTION_IDENTITY是调用函数的标识,即服务帐户电子邮件。
还请参考个别服务上的IAM控制访问以获取更多详细信息。
您可以通过将特殊的
allUsers成员类型添加到服务并授予roles/run.invoker角色来使服务公开可访问:
gcloud run services add-iam-policy-binding [SERVICE_NAME] \
--member="allUsers" \
--role="roles/run.invoker"
此外,当您使用gcloud run deploy命令部署服务时,可以指定是否将服务公开可访问:
gcloud run deploy [SERVICE_NAME] ... --allow-unauthenticated
英文:
As per Authenticating for invocation;
> The user account you are using to access Cloud Functions assigned a
> role that contains the cloudfunctions.functions.invoke permission.
> By default, the Cloud Functions Admin and
> Developer roles have this permission.
>
> You need to grant the appropriate invoker role to the calling
> function's service account on the receiving function.
>
> Cloud Functions (1st gen): Run the below command for 1st gen
> functions, the invoker role is Cloud Functions Invoker
> (roles/cloudfunctions.invoker)
>
> gcloud functions add-iam-policy-binding RECEIVING_FUNCTION
> --member='serviceAccount:CALLING_FUNCTION_IDENTITY'
> --role='roles/cloudfunctions.invoker'
>
> Cloud Functions (2nd gen): Run the below command for 2nd gen functions, the invoker
> role is Cloud Run Invoker (roles/run.invoker) and must be granted on
> the underlying service.
>
> gcloud functions add-invoker-policy-binding RECEIVING_FUNCTION
> --member='serviceAccount:CALLING_FUNCTION_IDENTITY'
>
> where RECEIVING_FUNCTION is the name of the receiving function and
> CALLING_FUNCTION_IDENTITY is the calling function identity, a service
> account email.
Also refer to IAM Control access on an individual service for more details.
> You can make a service publicly accessible by adding the special
> allUsers member type to a service and granting it the
> roles/run.invoker role:
>
> gcloud run services add-iam-policy-binding [SERVICE_NAME]
> --member="allUsers"
> --role="roles/run.invoker"
>Additionally, when you deploy your service with the gcloud run deploy command, you can specify whether or
> not to make your service publicly accessible:
>
> gcloud run deploy [SERVICE_NAME] ... --allow-unauthenticated
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论