只是想检查这是否在已经可用的路线图中,我刚刚错过了这些。在为一个重要项目构建我的函数时,我想应用一些防火墙规则来限制我的一些Google云功能(HTTP端点触发器)的网络访问,原因是多方面的原因(安全性,如果因垃圾邮件导致突然收费,请避免高价)请求等。)
这是可用的还是在管道中?如果没有,您如何限制对特定功能的访问权限,只允许使用一些Google Compute Engines,其他GCF和其他Google云端服务(Firestore,Storage,PubSub。)
答案 0 :(得分:5)
您应该关注的不仅仅是防火墙规则,而是通过访问令牌验证您对云功能的请求。
Here there is a good example on how to do this
基本上,您将创建一个HTTP触发的云功能。
首先创建一个存储桶,我的服务器名为 auth-123 。然后将其放入云端shell并将项目名称和存储桶定义为环境变量:
jordim@yrmv-191108:~$ export BUCKET=auth-123
jordim@yrmv-191108:~$ export PROJECT=yrmv-191108
创建几个服务帐户
jordim@yrmv-191108:~$ gcloud iam service-accounts create alpha-account --
display-name "Account 1"
jordim@yrmv-191108:~$ gcloud iam service-accounts create beta-account --display-name "Account 2"
Created service account [beta-account].
现在创建功能!在云外壳上的文件夹上首先创建一个带有依赖项的package.json:
jordim@yrmv-191108:~/cloudfunction$ cat > package.json
{
"dependencies": {
"googleapis": "21.2"
}
}
现在功能本身:
const Google = require('googleapis');
const BUCKET = 'auth-123'; // Replace with name of your bucket
/**
* Cloud Function.
*
* @param {Object} req Cloud Function request context.
* @param {Object} res Cloud Function response context.
*/
exports.secureFunction = function secureFunction(req, res) {
var accessToken = getAccessToken(req.get('Authorization'));
var oauth = new Google.auth.OAuth2();
oauth.setCredentials({access_token: accessToken});
var permission = 'storage.buckets.get';
var gcs = Google.storage('v1');
gcs.buckets.testIamPermissions(
{bucket: BUCKET, permissions: [permission], auth: oauth}, {},
function (err, response) {
if (response && response['permissions'] && response['permissions'].includes(permission)) {
authorized(res);
} else {
res.status(403).send("The request is forbidden.");
}
});
function authorized(res) {
res.send("The request was successfully authorized.");
// The code to execute goes here! :)
}
}
function getAccessToken(header) {
if (header) {
var match = header.match(/^Bearer\s+([^\s]+)$/); //We are looking for an HTTP request with the content Bearer: + a token
if (match) {
return match[1];
}
}
return null;
}
在这种情况下,我们检查启动请求的帐户是否具有storage.buckets.get权限,但只需更改变量权限即可将其更改为任何其他权限。
然后部署函数:
jordim@yrmv-191108:~/cloudfunction$ gcloud beta functions deploy secureFunction --stage-bucket $BUCKET --trigger-http
现在您有一个云功能,只有在收到来自授权帐户的请求时才触发其内容。让我们为之前创建的帐户制作代币:
jordim@yrmv-191108:~/cloudfunction$ gcloud iam service-accounts keys create --iam-account alpha-account@$PROJECT.iam.gserviceaccount.com ./alpha-account.json
jordim@yrmv-191108:~/cloudfunction$ export ALPHA_ACCOUNT_TOKEN=$(GOOGLE_APPLICATION_CREDENTIALS=./alpha-account.json gcloud auth application-default print-access-token)
jordim@yrmv-191108:~/cloudfunction$ gcloud iam service-accounts keys create --iam-account beta-account@$PROJECT.iam.gserviceaccount.com ./beta-account.json
created key [4a9251d7611e74da8b4565657b52b7c940606630] of type [json] as [./beta-account.json] for [beta-account@yrmv-191108.iam.gserviceaccount.com]
jordim@yrmv-191108:~/cloudfunction$ export BETA_ACCOUNT_TOKEN=$(GOOGLE_APPLICATION_CREDENTIALS=./beta-account.json gcloud auth application-default print-access-token)
我们现在在json上有auth令牌,并且还将它们导出为env var以便于测试。让我们向ALPHA用户授予权限,而不是将其提供给BETA用户:
jordim@yrmv-191108:~/cloudfunction$ gsutil acl ch -u alpha-account@$PROJECT.iam.gserviceaccount.com:R gs://auth-123
现在来测试一下:
jordim@yrmv-191108:~/cloudfunction$ curl https://us-central1-yrmv-191108.cloudfunctions.net/secureFunction -H "Authorization: Bearer $ALPHA_ACCOUNT_TOKEN"
The request was successfully authorized.
jordim@yrmv-191108:~/cloudfunction$ curl https://us-central1-yrmv-191108.cloudfunctions.net/secureFunction -H "Authorization: Bearer $BETA_ACCOUNT_TOKEN"
The request is forbidden
您可以将此逻辑应用于任何云功能,除非请求在其标头上附带有效令牌,否则用于拒绝它的资源量极少。