问题
I'm creating Google Cloud HTTP Function using my python script as follows:
gcloud beta functions deploy " + function_name + " --runtime go111 --trigger-http --memory 128 --region " + cloud_region + " --source " + function_path + " --service-account " + my_service_account
Allow unauthenticated invocations of new function [ExecuteFunctionTest]? (y/N)? N
WARNING: Function created with default IAM policy. To enable unauthorized access consider "gcloud alpha functions add-iam-policy-binding function_name --region=us-central1 --member=allUsers --role=roles/cloudfunctions.invoker"
Then when I do:
gcloud beta functions get-iam-policy function_name
I get the following output:
bindings:
- members:
- allUsers
role: roles/cloudfunctions.invoker
etag: BwWOGyVdpDg=
version: 1
Why is 'allUsers' a member here?
The documentation https://cloud.google.com/functions/docs/securing/authenticating and https://cloud.google.com/functions/docs/securing/managing-access says that:
all Cloud Functions are deployed privately, which means that they can't be accessed without providing authentication credentials in the request.
By default, HTTP Functions are only callable by project owners, editors, and Cloud Functions Admins and Developers.
But I'm able to access the Cloud Function URL using a simple curl command or Postman client without any credentials from outside the project.
What could be causing the Cloud Function to have the 'allUsers' member and be Publicly accessible?
回答1:
The new IAM features are part of the beta command set. You are using the general availability deployment (GA) commands. Delete your function, then use gcloud beta functions deploy ...
回答2:
You can set access with the next command
https://cloud.google.com/sdk/gcloud/reference/alpha/functions/add-iam-policy-binding
and remove allUsers with the next one
https://cloud.google.com/sdk/gcloud/reference/alpha/functions/remove-iam-policy-binding
example: gcloud alpha functions add-iam-policy-binding function_name --region=us-central1 --member=user:your.email@gmail.com --role=roles/cloudfunctions.invoker
gcloud alpha functions remove-iam-policy-binding function_name --region=us-central1 --member=allUsers --role=roles/cloudfunctions.invoker
回答3:
The allUsers permission on http functions is default behavior. You can (and maybe should!) remove iam permissions with:
gcloud alpha functions remove-iam-policy-binding ...
This default behavior for HTTP functions will change after November 1, 2019. Currently, new HTTP functions allow unauthenticated invocation by default. New HTTP functions created after November 1, 2019 will require authentication by default. You can specify whether a function allows unauthenticated invocation at or after deployment.
Source
来源:https://stackoverflow.com/questions/57122047/google-cloud-function-not-created-with-private-access