我正在使用我的 python 脚本创建 Google Cloud HTTP 函数,如下所示:
gcloud beta functions deploy " + function_name + " --runtime go111 --trigger-http --memory 128 --region " + cloud_region + " --source " + function_path + " --service-account " + my_service_account
Allow unauthenticated invocations of new function [ExecuteFunctionTest]? (y/N)? N
WARNING: Function created with default IAM policy. To enable unauthorized access consider "gcloud alpha functions add-iam-policy-binding function_name --region=us-central1 --member=allUsers --role=roles/cloudfunctions.invoker"
然后当我这样做时:
gcloud beta functions get-iam-policy function_name
我得到以下输出:
bindings:
- members:
- allUsers
role: roles/cloudfunctions.invoker
etag: BwWOGyVdpDg=
version: 1
为什么“allUsers”是这里的成员?
文档 https://cloud.google.com/functions/docs/securing/authenticating和 https://cloud.google.com/functions/docs/securing/managing-access说:
all Cloud Functions are deployed privately, which means that they can't be accessed without providing authentication credentials in the request.
By default, HTTP Functions are only callable by project owners, editors, and Cloud Functions Admins and Developers.
但是我可以使用简单的 curl 命令或 Postman 客户端访问 Cloud Function URL,而无需来自项目外部的任何凭据。
什么可能导致 Cloud Function 具有“allUsers”成员并且可公开访问?
最佳答案
您可以使用下一个命令设置访问权限
https://cloud.google.com/sdk/gcloud/reference/alpha/functions/add-iam-policy-binding
并使用下一个删除所有用户
https://cloud.google.com/sdk/gcloud/reference/alpha/functions/remove-iam-policy-binding
例子:
gcloud alpha 函数 add-iam-policy-binding function_name --region=us-central1 --member=user:your.email@gmail.com --role=roles/cloudfunctions.invoker
gcloud alpha 函数 remove-iam-policy-binding function_name --region=us-central1 --member=allUsers --role=roles/cloudfunctions.invoker
关于google-cloud-platform - 未使用私有(private)访问权限创建的 Google Cloud Function,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57122047/