允许从云函数调用 Google API 吗?

huangapple go评论64阅读模式
英文:

Permission to hit google API from a cloud function?

问题

I need to get the Airflow URL and other information from Composer. For that I'm trying to use the Google API (https://composer.googleapis.com/v1beta1/projects/PROJECT_ID/locations/COMPOSER_LOCATION/environments/COMPOSER_NAME). This is the code that I use:

import logging
import requests

import google.cloud.logging
from google.auth.transport.requests import AuthorizedSession

client = google.cloud.logging.Client(project="project ID of the Cloud Function")
client.setup_logging()

AUTH_SCOPE = "https://www.googleapis.com/auth/cloud-platform"
CREDENTIALS, _ = google.auth.default(scopes=[AUTH_SCOPE])


def request_api(url: str, method: str) -> dict:
    authed_session = AuthorizedSession(CREDENTIALS)
    response = authed_session.request(method, url)

    if response.status_code == 403:
        raise requests.HTTPError(
            "You do not have permission to perform this operation. "
            "Check Airflow RBAC roles for your account."
            f"{response.headers} / {response.text}"
        )
    elif response.status_code != 200:
        response.raise_for_status()
    else:
        return response.json()


def main():
    project_id = 'some project ID'
    location = 'some location'
    composer_name = 'some composer name'
    request_url = (
        'https://composer.googleapis.com/v1beta1/'
        f'projects/{project_id}/'
        f'locations/{location}/'
        f'environments/{composer_name}'
    )

    response = request_api(request_url, 'GET')
    logging.info(f"Response from API: {response}")

But when I run it I got an HTTP 403 error.

{ "error": { "code": 403, "message": "The caller does not have permission", "status": "PERMISSION_DENIED" } }

In this case, the caller is the service account that runs the Cloud Function, right? So what permissions must the service account that runs the cloud function have?

英文:

I need to get the Airflow URL and other information from Composer. For that I'm trying to use the Google API (https://composer.googleapis.com/v1beta1/projects/PROJECT_ID/locations/COMPOSER_LOCATION/environments/COMPOSER_NAME'). This is the code that I use:

import logging
import requests

import google.cloud.logging
from google.auth.transport.requests import AuthorizedSession

client = google.cloud.logging.Client(project="project ID of the Cloud Function")
client.setup_logging()

AUTH_SCOPE = "https://www.googleapis.com/auth/cloud-platform"
CREDENTIALS, _ = google.auth.default(scopes=[AUTH_SCOPE])


def request_api(url: str, method: str) -> dict:
    authed_session = AuthorizedSession(CREDENTIALS)
    response = authed_session.request(method, url)

    if response.status_code == 403:
        raise requests.HTTPError(
            "You do not have a permission to perform this operation. "
            "Check Airflow RBAC roles for your account."
            f"{response.headers} / {response.text}"
        )
    elif response.status_code != 200:
        response.raise_for_status()
    else:
        return response.json()


def main():
    project_id = 'some project ID'
    location = 'some location'
    composer_name = 'some composer name'
    request_url = (
        'https://composer.googleapis.com/v1beta1/'
        f'projects/{project_id}/'
        f'locations/{location}/'
        f'environments/{composer_name}'
    )

    response = request_api(request_url, 'GET')
    logging.info(f"Response from API: {response}")

But when I run it I got an HTTP 403 error.

{ "error": { "code": 403, "message": "The caller does not have permission", "status": "PERMISSION_DENIED" } }

In this case the caller is the service account that run the Cloud Function, right? So what permissions must have the service account that run the cloud function?

Thanks in advance.

答案1

得分: 1

根据Puteri的评论。如果他们的服务帐户具有角色Composer用户(roles/composer.user),我的云函数可以访问Composer API。

英文:

According to Puteri comment. My cloud function can consume the Composer API if their service account have the role Composer User (roles/composer.user).

huangapple
  • 本文由 发表于 2023年6月6日 05:54:45
  • 转载请务必保留本文链接:https://go.coder-hub.com/76410239.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定