允许服务账号调用 Terraform 中的所有云函数。

huangapple go评论62阅读模式
英文:

Give permission to service account to call all Cloud Function in Terraform

问题

As stated here, you need to define this block so a service account or user can call the function.

资源 "google_cloudfunctions_function_iam_member" "invoker" {
  项目 = google_cloudfunctions_function.function.project
  区域 = google_cloudfunctions_function.function.region
  云函数 = google_cloudfunctions_function.function.name

  角色   = "roles/cloudfunctions.invoker"
  成员 = "user:myFunctionInvoker@example.com"
}

Is there anyway to give this user/service account to be able call the function without redefining this block repetitively?

*edit

I add roles/iam.serviceAccountUser binding to my service account and it works.

gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
  --member user:USER_EMAIL \
  --role roles/iam.serviceAccountUser

read more here

英文:

As stated here, you need to define this block so a service account or user can call the function.

resource "google_cloudfunctions_function_iam_member" "invoker" {
  project        = google_cloudfunctions_function.function.project
  region         = google_cloudfunctions_function.function.region
  cloud_function = google_cloudfunctions_function.function.name

  role   = "roles/cloudfunctions.invoker"
  member = "user:myFunctionInvoker@example.com"
}

Is there anyway to give this user/service account to be able call the function without redefining this block repetitively?

*edit

I add roles/iam.serviceAccountUser binding to my service account and it works.

gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
  --member user:USER_EMAIL \
  --role roles/iam.serviceAccountUser

read more here

答案1

得分: 1

发布此内容作为社区维基,供所有人查看。对于服务帐户或用户要调用函数,他们需要具有“roles/cloudfunctions.invoker”角色。要在多个用户或整个用户/服务帐户组上执行此操作,您可以使用IAM来管理他们的访问权限。您可以参考此文档

英文:

Posting this as a community wiki for everyone's visibility. For a service account or a user to call a function, they need to have the "roles/cloudfunctions.invoker" role. To do this on multiple user or to an entire group of user/service account, you can use IAM to manage their access. You can refer to this documentation on how.

huangapple
  • 本文由 发表于 2023年5月25日 21:00:06
  • 转载请务必保留本文链接:https://go.coder-hub.com/76332545.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定