我已经制作了一组云功能,并通过检查Auth标题来确保它们,如下所示,
if (!context.auth)
return { status: "error", code: 401, message: "Not signed in" };
目前所有功能似乎都很好,它返回了401,以获取没有有效验证标头的请求。
然后,我有一个云函数 updateStock()我希望与名为Bob的合作伙伴分享,例如,Bob可以在其中称呼它以在库存级别上更新我们。如何与BOB共享此云功能,并确保没有其他人应该能够使用此功能?
- 我可以生成一对客户ID/BOB使用的秘密吗?
- 还是我应该使用Web API密钥?
- 我还听说过云运行中的设置Webhook,在这种情况下这有帮助吗?
I have made a set of Cloud Functions and secured them by checking auth header like below
if (!context.auth)
return { status: "error", code: 401, message: "Not signed in" };
All seems to work pretty well at the moment, it returned 401 for requests without valid auth header.
Then I have one cloud function updateStock() that I wish to share with partner named Bob, where Bob can call it to update us on stock level for example. How do I share this cloud function with Bob and ensure no one else should be able to use this function?
- can I generate a pair of client ID/secret for Bob use?
- or should I use Web API Key?
- I have also heard of setup Webhook on Cloud Run, does that help in this case?
发布评论
评论(2)
我为您提供了很多解决方案:
您可以创建一个服务帐户IAM&管理员 - >服务帐户。
您需要将云功能调用角色应用于此服务
帐户,您可以为此使用Gcloud CLI:
- 角色角色/cloudfunctions.invoker-区域your-region
您将得到这样的消息:bindings:
理想情况下,您需要删除Alluser的角色。
然后,您可以添加bob给出服务帐户用户角色< /a>授予
服务帐户用户为特定服务的用户角色
帐户只能访问该服务帐户。
用户在服务帐户上授予服务帐户用户角色可以
使用它间接访问服务的所有资源
帐户可以访问。例如,如果服务帐户已经
授予云功能调用角色,用户
授予服务帐户用户角色
(角色/iam.serviceaccountuser)在该服务帐户上可以充当
服务帐户调用云功能。在这个流中,
用户冒充服务帐户使用其执行任何任务的服务帐户
授予角色和权限。
为了防止外部未经身份验证的呼叫,您可以设置
功能私有。非常容易做,将其部署
- 否无供应未介绍paramgcloud函数部署我的功能 - no-allow-nothenticated -trigger ...- region ...- region ...---肺活量…现在您必须执行2件事:
创建一个具有正确角色的服务帐户。你可以通过gui做
或使用命令行:
使用GUI,如果您授予Promoce CloudFunctions.invoker。
级别,您的服务帐户将能够访问您的所有功能
项目。使用我的命令行,我只授予特定的角色
功能
然后,您可以再次添加鲍勃给出服务帐户用户角色。将服务帐户用户角色授予用户
特定的服务帐户只能访问该服务
帐户。
您可以使用Firebase将身份验证添加到云功能
身份验证。只有通过有效的firebase ID令牌作为一个
HTTP请求的授权标题或
__Session cookie有权使用该功能。
这是如何做的GitHub示例:
https://github.com/firebase.com/firebase/functions/functions-samamples/树/主/授权的https-endpoint
模块可能适合您的使用
案件。我不能保证它的工作,但这个想法似乎很接近
对您的用例。它提供了“简单的用户身份验证,
Google Cloud HTTP功能的管理系统。”
I have quite a few solutions for you :
You can create a Service Account IAM & Admin -> Services accounts.
You need to apply the Cloud Functions Invoker role to this service
account, you can use the gcloud cli for this:
--role roles/cloudfunctions.invoker --region YOUR-REGION
You will be prompted with a message like this: bindings:
Ideally, you need to remove the allUsers role.
Then you can add Bob to give the Service Account user role Granting
the Service Account User role to a user for a specific service
account gives a user access to only that service account.
Users granted the Service Account User role on a service account can
use it to indirectly access all the resources to which the service
account has access. For example, if a service account has been
granted the Cloud functions invoker role, a user that has been
granted the Service Account Users role
(roles/iam.serviceAccountUser) on that service account can act as
the service account to invoke a Cloud functions. In this flow, the
user impersonates the service account to perform any tasks using its
granted roles and permissions.
For preventing external unauthenticated calls, you can set your
function private. Very easy to do, deploy it with the
--no-allow-unauthenticatedparamgcloud functions deploy my-function --no-allow-unauthenticated --trigger... -- region... --runtime…Now you have to perform 2 things:
Create a service account with the correct roles. You can do it by the GUI
or with the command line:
With the GUI, if you grant the role cloudfunctions.invoker at project
level, your service account will be able to access all functions in your
project. With my command line, I only grant the role on a specific
function
Then again you can add Bob to give the Service Account user role. Granting the Service Account User role to a user for a
specific service account gives a user access to only that service
account.
You can add authentication to a cloud function by using firebase
authentication.Only users who pass a valid Firebase ID token as a
Bearer token in the Authorization header of the HTTP request or in a
__session cookie are authorized to use the function.
Here's a github example of how to do to it:
https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint
The Google Function Authorizer module might be good for your use
case. I cannot vouch for its working but the idea seems pretty close
to your use case. It provides "a simple user authentication and
management system for Google Cloud HTTP Functions."
对于您的Postman用例,您可以参考“手动生成令牌”部分。或使用云外壳“ GCLOUD”快速测试,请参阅“认证开发人员测试”部分。
与往常一样,如果有的话,请告知问题。
There is a guide provided in the official Cloud Functions documentations on Authenticating for invocation. Add your principal "Bob" as described in the documentation and follow through the steps.
For your Postman use case, you may refer to the section for "Generating tokens manually". Or for quick test using Cloud Shell "gcloud", refer to section "Authenticating Developer Testing".
As always, please let know of issues, if any.