如何使用 Deployment Manager 将 IAM 策略设置为 Cloud Function
How to set IAM policy to Cloud Function with Deployment Manager
我想通过 Deployment Manager 使用特定的 IAM 策略部署 Cloud Functions。我的deployment.yml:
resources:
- type: gcp-types/cloudfunctions-v1:projects.locations.functions
name: test-function
properties:
parent: projects/test-project/locations/europe-west3
function: test-function
entryPoint: functions.KotlinHelloWorld
timeout: 30s
availableMemoryMb: 256
runtime: java11
location: europe-west3
sourceArchiveUrl: gs://source-bucket/kotlin-function.zip
httpsTrigger:
url: https://europe-west3-test-project.cloudfunctions.net/test-function
environmentVariables:
BUCKET: function-results
RESULT_FILE: dates.txt
accessControl:
gcpIamPolicy:
bindings:
- role: roles/cloudfunctions.invoker
members:
- allUsers
它在没有 accessControl 块的情况下工作。但是在上面的情况下我得到一个错误:
user@pc-003:~/Develop/kotlin-function$ gcloud deployment-manager deployments update learning --config deployment.yml
The fingerprint of the deployment is 6MAQlDoq73-O_QDwSCD7uA==
Waiting for update [operation-1593088111352-5a8e7baf9192b-7d149199-82e96170]...failed.
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1593088111352-5a8e7baf9192b-7d149199-82e96170]: errors:
- code: RESOURCE_ERROR
location: /deployments/learning/resources/test-function
message: '{"ResourceType":"gcp-types/cloudfunctions-v1:projects.locations.functions","ResourceErrorCode":"404","ResourceErrorMessage":{"statusMessage":"Not
Found","requestPath":"https://cloudfunctions.googleapis.com/v1/:setIamPolicy","httpMethod":"POST"}}'
这是部署管理器和云功能的问题 API。您可以在这里阅读更多相关信息:https://github.com/GoogleCloudPlatform/deploymentmanager-samples/issues/494
作为解决方法,您可以将 IAM 策略定义为单独的资源:
- name: [BINDING_NAME]
type: gcp-types/cloudfunctions-v1:virtual.projects.locations.functions.iamMemberBinding
properties:
resource: projects/[PROJECT_NAME]/locations/[LOCATION]/functions/[FUNCTION_NAME]
role: roles/cloudfunctions.invoker
member: allUsers
为此,您需要授予 Google APIs Service Agent 编辑 IAM 策略的权限。 Cloud Functions Admin 是在这种情况下拥有所有需要权限的角色
我想通过 Deployment Manager 使用特定的 IAM 策略部署 Cloud Functions。我的deployment.yml:
resources:
- type: gcp-types/cloudfunctions-v1:projects.locations.functions
name: test-function
properties:
parent: projects/test-project/locations/europe-west3
function: test-function
entryPoint: functions.KotlinHelloWorld
timeout: 30s
availableMemoryMb: 256
runtime: java11
location: europe-west3
sourceArchiveUrl: gs://source-bucket/kotlin-function.zip
httpsTrigger:
url: https://europe-west3-test-project.cloudfunctions.net/test-function
environmentVariables:
BUCKET: function-results
RESULT_FILE: dates.txt
accessControl:
gcpIamPolicy:
bindings:
- role: roles/cloudfunctions.invoker
members:
- allUsers
它在没有 accessControl 块的情况下工作。但是在上面的情况下我得到一个错误:
user@pc-003:~/Develop/kotlin-function$ gcloud deployment-manager deployments update learning --config deployment.yml
The fingerprint of the deployment is 6MAQlDoq73-O_QDwSCD7uA==
Waiting for update [operation-1593088111352-5a8e7baf9192b-7d149199-82e96170]...failed.
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1593088111352-5a8e7baf9192b-7d149199-82e96170]: errors:
- code: RESOURCE_ERROR
location: /deployments/learning/resources/test-function
message: '{"ResourceType":"gcp-types/cloudfunctions-v1:projects.locations.functions","ResourceErrorCode":"404","ResourceErrorMessage":{"statusMessage":"Not
Found","requestPath":"https://cloudfunctions.googleapis.com/v1/:setIamPolicy","httpMethod":"POST"}}'
这是部署管理器和云功能的问题 API。您可以在这里阅读更多相关信息:https://github.com/GoogleCloudPlatform/deploymentmanager-samples/issues/494
作为解决方法,您可以将 IAM 策略定义为单独的资源:
- name: [BINDING_NAME]
type: gcp-types/cloudfunctions-v1:virtual.projects.locations.functions.iamMemberBinding
properties:
resource: projects/[PROJECT_NAME]/locations/[LOCATION]/functions/[FUNCTION_NAME]
role: roles/cloudfunctions.invoker
member: allUsers
为此,您需要授予 Google APIs Service Agent 编辑 IAM 策略的权限。 Cloud Functions Admin 是在这种情况下拥有所有需要权限的角色