我正在尝试按照article来配置Cloud Functions上的端点。
已执行以下步骤:
1)创建一个Google Cloud Platform(GCP)项目,并部署以下Cloud Function。
export const TestPost = (async (request: any, response: any) => {
response.send('Record created.');
});
使用以下命令
gcloud functions deploy TestPost --runtime nodejs10 --trigger-http --region=asia-east2
功能到现在为止都很好。
2)使用以下命令将ESP容器部署到Cloud Run
gcloud config set run/region us-central1
gcloud beta run deploy CLOUD_RUN_SERVICE_NAME \
--image="gcr.io/endpoints-release/endpoints-runtime-serverless:1.30.0" \
--allow-unauthenticated \
--project=ESP_PROJECT_ID
ESP容器也已成功部署。
3)创建描述该API的OpenAPI文档,并配置到Cloud Functions的路由。
swagger: '2.0'
info:
title: Cloud Endpoints + GCF
description: Sample API on Cloud Endpoints with a Google Cloud Functions backend
version: 1.0.0
host: HOST
schemes:
- https
produces:
- application/json
paths:
/Test:
get:
summary: Do something
operationId: Test
x-google-backend:
address: https://REGION-FUNCTIONS_PROJECT_ID.cloudfunctions.net/Test
responses:
'200':
description: A successful response
schema:
type: string
4)使用以下命令部署OpenAPI文档
gcloud endpoints services deploy swagger.yaml
5)配置ESP,以便它可以找到Endpoints服务的配置。
gcloud beta run configurations update \
--service CLOUD_RUN_SERVICE_NAME \
--set-env-vars ENDPOINTS_SERVICE_NAME=YOUR_SERVICE_NAME \
--project ESP_PROJECT_ID
gcloud alpha functions add-iam-policy-binding FUNCTION_NAME \
--member "serviceAccount:ESP_PROJECT_NUMBER-compute@developer.gserviceaccount.com" \
--role "roles/iam.cloudfunctions.invoker" \
--project FUNCTIONS_PROJECT_ID
这成功完成了
6)向API发送请求
完全可以。
现在我想实施身份验证,因此我对OpenAPI文档进行了以下更改
swagger: '2.0'
info:
title: Cloud Endpoints + GCF
description: Sample API on Cloud Endpoints with a Google Cloud Functions backend
version: 1.0.0
host: HOST
schemes:
- https
produces:
- application/json
security:
- client-App-1: [read, write]
paths:
/Test:
get:
summary: Do something
operationId: Test
x-google-backend:
address: https://REGION-FUNCTIONS_PROJECT_ID.cloudfunctions.net/Test
responses:
'200':
description: A successful response
schema:
type: string
securityDefinitions:
client-App-1:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
scopes:
read: Grants read access
write: Grants write access
x-google-issuer: SERVICE_ACCOUNT@PROJECT.iam.gserviceaccount.com
x-google-jwks_uri: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT@PROJECT.iam.gserviceaccount.com
我使用以下命令创建了一个服务帐户。
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME --display-name DISPLAY_NAME
使用以下服务授予帐户的令牌创建者角色
gcloud projects add-iam-policy-binding PROJECT_ID --member serviceAccount:SERVICE_ACCOUNT_EMAIL --role roles/iam.serviceAccountTokenCreator
重新部署OpenAPI文档
gcloud endpoints services deploy swagger.yaml
现在,当我测试API时,出现以下错误
{
"code": 16,
"message": "JWT validation failed: BAD_FORMAT",
"details": [
{
"@type": "type.googleapis.com/google.rpc.DebugInfo",
"stackEntries": [],
"detail": "auth"
}
] }
我正在使用BearerToken将通过gcloud生成的访问令牌传递到请求中
用于生成访问令牌的cmd为gcloud auth application-default print-access-token
有人可以指出这里的问题是什么。谢谢...
编辑#1: 我正在使用Postman连接到我的API
使用以下命令后,我得到了另一个错误。
命令:
gcloud auth print-identity-token SERVICE_ACCOUNT_EMAIL
错误:
{
"code": 16,
"message": "JWT validation failed: Issuer not allowed",
"details": [
{
"@type": "type.googleapis.com/google.rpc.DebugInfo",
"stackEntries": [],
"detail": "auth"
}
]
}
答案 0 :(得分:1)
对于ESP,应使用jwt-token或身份令牌。无法访问令牌。请检出this。
答案 1 :(得分:0)
最后,我的经理来解决这个问题。
两件事错了。
1)原始JWT令牌的格式,应如下所示
{
"iss": SERVICE_ACCOUNT_EMAIL,
"iat": 1560497345,
"aud": ANYTHING_WHICH_IS_SAME_AS_IN_OPENAPI_YAML_FILE,
"exp": 1560500945,
"sub": SERVICE_ACCOUNT_EMAIL
}
然后我们需要使用以下命令生成一个签名的JWT令牌
gcloud beta iam service-accounts sign-jwt --iam-account SERVICE_ACCOUNT_EMAIL raw-jwt.json signed-jwt.json
2)YAML文件中的安全性定义应如下所示
securityDefinitions:
client-App-1:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
scopes:
read: Grants read access
write: Grants write access
x-google-issuer: SERVICE_ACCOUNT_EMAIL
x-google-jwks_uri: "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL
x-google-audiences: ANYTHING_BUT_SAME_AS_IN_RAW_JWT_TOKEN