如何为 Cloud Functions 创建的 Google Cloud Task 授予权限
How do I grant permission for a Google Cloud Task created by Cloud Functions
我有两个 Google Cloud Functions,其中一个 'caller' 创建一个 Cloud Task,然后调用绑定到不同 Cloud Functions 的 http 端点 'worker'
当我将 allUsers 作为 Cloud Functions Invoker 分配给 worker 函数时,这是有效的。当我删除此权限并将调用者函数服务帐户分配为调用者时,它失败了。我做错了什么?
如果有任何代码有助于诊断,请告诉我。这似乎不是代码问题,因为相同的代码通过或失败取决于我拥有的权限 set.My 权限看起来像这样:
...@appspot.gserviceaccount.com App Engine default service account Cloud Functions Invoker
export function main(
project:any, // Your GCP Project id
queue:any, // Name of your Queue
location:any, // The GCP region of your queue
url:any, // The full url path that the request will be sent to
payload:any, // The task HTTP request body
inSeconds = 0 // Delay in task execution
) {
// [START cloud_tasks_create_http_task]
// Imports the Google Cloud Tasks library.
const {CloudTasksClient} = require('@google-cloud/tasks');
// Instantiates a client.
const client = new CloudTasksClient();
async function createHttpTask() {
// TODO(developer): Uncomment these lines and replace with your values.
// const project = 'my-project-id';
// const queue = 'my-queue';
// const location = 'us-central1';
// const url = 'https://example.com/taskhandler';
// const payload = 'Hello, World!';
// const inSeconds = 180;
// Construct the fully qualified queue name.
const parent = client.queuePath(project, location, queue);
const task = {
httpRequest: {
httpMethod: 'POST',
url,
body: '',
headers: {
"Content-Type": "application/json",
},
},
scheduleTime: {}
};
if (payload) {
const convertedPayload = JSON.stringify(payload);
task.httpRequest.body = Buffer.from(convertedPayload).toString('base64');
}
if (inSeconds) {
// The time when the task is scheduled to be attempted.
task.scheduleTime = {
seconds: inSeconds + Date.now() / 1000,
};
}
// Send create task request.
console.log('Sending task:');
console.log(task);
const request = {parent: parent, task: task};
const [response] = await client.createTask(request);
console.log(`Created task ${response.name}`);
}
createHttpTask();
// [END cloud_tasks_create_http_task]
}
哦好吧,你忘了 OIDC part
const task = {
httpRequest: {
httpMethod: 'POST',
url,
body: '',
headers: {
"Content-Type": "application/json",
},
######### This part is missing #############
oidcToken: {
serviceAccountEmail,
},
######### End of missing part #############
},
scheduleTime: {}
};
设置要用于调用云函数的服务帐户电子邮件,当然是具有调用云函数权限的服务帐户,它应该可以工作。
我有两个 Google Cloud Functions,其中一个 'caller' 创建一个 Cloud Task,然后调用绑定到不同 Cloud Functions 的 http 端点 'worker'
当我将 allUsers 作为 Cloud Functions Invoker 分配给 worker 函数时,这是有效的。当我删除此权限并将调用者函数服务帐户分配为调用者时,它失败了。我做错了什么?
如果有任何代码有助于诊断,请告诉我。这似乎不是代码问题,因为相同的代码通过或失败取决于我拥有的权限 set.My 权限看起来像这样:
...@appspot.gserviceaccount.com App Engine default service account Cloud Functions Invoker
export function main(
project:any, // Your GCP Project id
queue:any, // Name of your Queue
location:any, // The GCP region of your queue
url:any, // The full url path that the request will be sent to
payload:any, // The task HTTP request body
inSeconds = 0 // Delay in task execution
) {
// [START cloud_tasks_create_http_task]
// Imports the Google Cloud Tasks library.
const {CloudTasksClient} = require('@google-cloud/tasks');
// Instantiates a client.
const client = new CloudTasksClient();
async function createHttpTask() {
// TODO(developer): Uncomment these lines and replace with your values.
// const project = 'my-project-id';
// const queue = 'my-queue';
// const location = 'us-central1';
// const url = 'https://example.com/taskhandler';
// const payload = 'Hello, World!';
// const inSeconds = 180;
// Construct the fully qualified queue name.
const parent = client.queuePath(project, location, queue);
const task = {
httpRequest: {
httpMethod: 'POST',
url,
body: '',
headers: {
"Content-Type": "application/json",
},
},
scheduleTime: {}
};
if (payload) {
const convertedPayload = JSON.stringify(payload);
task.httpRequest.body = Buffer.from(convertedPayload).toString('base64');
}
if (inSeconds) {
// The time when the task is scheduled to be attempted.
task.scheduleTime = {
seconds: inSeconds + Date.now() / 1000,
};
}
// Send create task request.
console.log('Sending task:');
console.log(task);
const request = {parent: parent, task: task};
const [response] = await client.createTask(request);
console.log(`Created task ${response.name}`);
}
createHttpTask();
// [END cloud_tasks_create_http_task]
}
哦好吧,你忘了 OIDC part
const task = {
httpRequest: {
httpMethod: 'POST',
url,
body: '',
headers: {
"Content-Type": "application/json",
},
######### This part is missing #############
oidcToken: {
serviceAccountEmail,
},
######### End of missing part #############
},
scheduleTime: {}
};
设置要用于调用云函数的服务帐户电子邮件,当然是具有调用云函数权限的服务帐户,它应该可以工作。