如何使用服务帐户从python代码访问GCP云功能?

时间:2020-01-21 16:23:45

标签: google-cloud-platform google-cloud-functions service-accounts google-iam google-cloud-iam

我已经部署了一个简单的GCP Cloud Function,该函数返回“ Hello World!”。 我需要此功能得到授权。我未标记“允许未经身份验证的调用”复选框,因此只有经过身份验证的调用才能调用此代码。 我还创建了服务帐户并担任下一个角色: -云功能调用者 -云功能服务代理

我的代码:

from google.oauth2 import service_account
from google.auth.transport.urllib3 import AuthorizedHttp

if __name__ == '__main__':
    credentials = service_account.Credentials.from_service_account_file('service-account.json',
        scopes=['https://www.googleapis.com/auth/cloud-platform'],
        subject='service-acc@<project_id>.iam.gserviceaccount.com')
    authed_session = AuthorizedHttp(credentials)
    response = authed_session.urlopen('POST', 'https://us-central1-<project_id>.cloudfunctions.net/main')
    print(response.data)

我得到了答复:

b'\n<html><head>\n<meta http-equiv="content-type" content="text/html;charset=utf-8">\n<title>401 Unauthorized</title>\n</head>\n<body text=#000000 bgcolor=#ffffff>\n<h1>Error: Unauthorized</h1>\n<h2>Your client does not have permission to the requested URL <code>/main</code>.</h2>\n<h2></h2>\n</body></html>\n'

如何获得授权?

2 个答案:

答案 0 :(得分:2)

您的示例代码正在生成访问令牌。以下是一个生成身份令牌并使用该令牌调用Cloud Functions端点的真实示例。该功能需要具有用于授权帐户的Cloud Function Invoker角色。

import json
import base64
import requests

import google.auth.transport.requests
from google.oauth2.service_account import IDTokenCredentials

# The service account JSON key file to use to create the Identity Token
sa_filename = 'service-account.json'

# Endpoint to call
endpoint = 'https://us-east1-replace_with_project_id.cloudfunctions.net/main'

# The audience that this ID token is intended for (example Google Cloud Functions service URL)
aud = 'https://us-east1-replace_with_project_id.cloudfunctions.net/main'

def invoke_endpoint(url, id_token):
    headers = {'Authorization': 'Bearer ' + id_token}

    r = requests.get(url, headers=headers)

    if r.status_code != 200:
        print('Calling endpoint failed')
        print('HTTP Status Code:', r.status_code)
        print(r.content)
        return None

    return r.content.decode('utf-8')

if __name__ == '__main__':
    credentials = IDTokenCredentials.from_service_account_file(
            sa_filename,
            target_audience=aud)

    request = google.auth.transport.requests.Request()

    credentials.refresh(request)

    # This is debug code to show how to decode Identity Token
    # print('Decoded Identity Token:')
    # print_jwt(credentials.token.encode())

    response = invoke_endpoint(endpoint, credentials.token)

    if response is not None:
        print(response)

答案 1 :(得分:0)

该错误是由于未验证呼叫而引起的。

由于现在从您的本地主机this进行的呼叫应该对您有用。

curl https://REGION-PROJECT_ID.cloudfunctions.net/FUNCTION_NAME \
  -H "Authorization: bearer $(gcloud auth print-identity-token)"

这将使用您在本地主机上在gcloud上处于活动状态的帐户进行呼叫。

进行呼叫的帐户必须具有 Cloud Functions Invoker

角色

将来只需确保服务正在调用此函数就具有上述角色。

相关问题
最新问题