英文:
Permission to hit google API from a cloud function?
问题
I need to get the Airflow URL and other information from Composer. For that I'm trying to use the Google API (https://composer.googleapis.com/v1beta1/projects/PROJECT_ID/locations/COMPOSER_LOCATION/environments/COMPOSER_NAME). This is the code that I use:
import logging
import requests
import google.cloud.logging
from google.auth.transport.requests import AuthorizedSession
client = google.cloud.logging.Client(project="project ID of the Cloud Function")
client.setup_logging()
AUTH_SCOPE = "https://www.googleapis.com/auth/cloud-platform"
CREDENTIALS, _ = google.auth.default(scopes=[AUTH_SCOPE])
def request_api(url: str, method: str) -> dict:
authed_session = AuthorizedSession(CREDENTIALS)
response = authed_session.request(method, url)
if response.status_code == 403:
raise requests.HTTPError(
"You do not have permission to perform this operation. "
"Check Airflow RBAC roles for your account."
f"{response.headers} / {response.text}"
)
elif response.status_code != 200:
response.raise_for_status()
else:
return response.json()
def main():
project_id = 'some project ID'
location = 'some location'
composer_name = 'some composer name'
request_url = (
'https://composer.googleapis.com/v1beta1/'
f'projects/{project_id}/'
f'locations/{location}/'
f'environments/{composer_name}'
)
response = request_api(request_url, 'GET')
logging.info(f"Response from API: {response}")
But when I run it I got an HTTP 403 error.
{ "error": { "code": 403, "message": "The caller does not have permission", "status": "PERMISSION_DENIED" } }
In this case, the caller is the service account that runs the Cloud Function, right? So what permissions must the service account that runs the cloud function have?
英文:
I need to get the Airflow URL and other information from Composer. For that I'm trying to use the Google API (https://composer.googleapis.com/v1beta1/projects/PROJECT_ID/locations/COMPOSER_LOCATION/environments/COMPOSER_NAME'). This is the code that I use:
import logging
import requests
import google.cloud.logging
from google.auth.transport.requests import AuthorizedSession
client = google.cloud.logging.Client(project="project ID of the Cloud Function")
client.setup_logging()
AUTH_SCOPE = "https://www.googleapis.com/auth/cloud-platform"
CREDENTIALS, _ = google.auth.default(scopes=[AUTH_SCOPE])
def request_api(url: str, method: str) -> dict:
authed_session = AuthorizedSession(CREDENTIALS)
response = authed_session.request(method, url)
if response.status_code == 403:
raise requests.HTTPError(
"You do not have a permission to perform this operation. "
"Check Airflow RBAC roles for your account."
f"{response.headers} / {response.text}"
)
elif response.status_code != 200:
response.raise_for_status()
else:
return response.json()
def main():
project_id = 'some project ID'
location = 'some location'
composer_name = 'some composer name'
request_url = (
'https://composer.googleapis.com/v1beta1/'
f'projects/{project_id}/'
f'locations/{location}/'
f'environments/{composer_name}'
)
response = request_api(request_url, 'GET')
logging.info(f"Response from API: {response}")
But when I run it I got an HTTP 403 error.
{ "error": { "code": 403, "message": "The caller does not have permission", "status": "PERMISSION_DENIED" } }
In this case the caller is the service account that run the Cloud Function, right? So what permissions must have the service account that run the cloud function?
Thanks in advance.
答案1
得分: 1
根据Puteri的评论。如果他们的服务帐户具有角色Composer用户(roles/composer.user),我的云函数可以访问Composer API。
英文:
According to Puteri comment. My cloud function can consume the Composer API if their service account have the role Composer User (roles/composer.user).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论