google-cloud-platform - 如何为 Cloud Functions 创建的 Google Cloud Task 授予权限

我有两个 Google Cloud Functions,其中一个“调用者”创建一个云任务,然后调用一个绑定到不同云函数“工作者”的 http 端点

当我将 allUsers 作为 Cloud Functions Invoker 分配给工作函数时,这是可行的。当我删除此权限并将调用者函数服务帐户分配为调用者时,它会失败。我究竟做错了什么?

如果有任何代码有助于诊断这一点,请告诉我。这似乎不是代码问题,因为相同的代码通过或失败取决于我设置的权限。我的权限如下所示:

...@appspot.gserviceaccount.com     App Engine default service account Cloud Functions Invoker 



export function main(
project:any, // Your GCP Project id
queue:any, // Name of your Queue
location:any, // The GCP region of your queue
url:any, // The full url path that the request will be sent to
payload:any, // The task HTTP request body
inSeconds = 0 // Delay in task execution
) {
// [START cloud_tasks_create_http_task]
// Imports the Google Cloud Tasks library.
const {CloudTasksClient} = require('@google-cloud/tasks');

// Instantiates a client.
const client = new CloudTasksClient();

async function createHttpTask() {
    // TODO(developer): Uncomment these lines and replace with your values.
    // const project = 'my-project-id';
    // const queue = 'my-queue';
    // const location = 'us-central1';
    // const url = 'https://example.com/taskhandler';
    // const payload = 'Hello, World!';
    // const inSeconds = 180;

    // Construct the fully qualified queue name.
    const parent = client.queuePath(project, location, queue);

    const task = {
        httpRequest: {
            httpMethod: 'POST',
            url,
            body: '',
            headers: {
                "Content-Type": "application/json",
            },
        },
        scheduleTime: {}
    };

    if (payload) {
        const convertedPayload = JSON.stringify(payload);
        task.httpRequest.body = Buffer.from(convertedPayload).toString('base64');
    }

    if (inSeconds) {
        // The time when the task is scheduled to be attempted.
        task.scheduleTime = {
            seconds: inSeconds + Date.now() / 1000,
        };
    }

    // Send create task request.
    console.log('Sending task:');
    console.log(task);
    const request = {parent: parent, task: task};
    const [response] = await client.createTask(request);
    console.log(`Created task ${response.name}`);
}
createHttpTask();
// [END cloud_tasks_create_http_task]

}

回答1

哦,好吧,你忘记了 https://cloud.google.com/tasks/docs/creating-http-target-tasks#node.js_1

const task = {
        httpRequest: {
            httpMethod: 'POST',
            url,
            body: '',
            headers: {
                "Content-Type": "application/json",
            },
######### This part is missing #############
            oidcToken: {
                 serviceAccountEmail,
            },
######### End of missing part  #############
        },
        scheduleTime: {}
    };

设置您要用于调用云功能的服务帐户电子邮件,当然是有权调用云功能的服务帐户,它应该可以工作。

相似文章

最新文章