Facing challenge to invoke cloud Function from cloud task using oidcToken

て烟熏妆下的殇ゞ 提交于 2020-12-15 01:38:42

问题


I am facing challenge to invoke cloud Function from cloud task using oidcToken.

Here are details of my IAM & Code:

const { CloudTasksClient } = require('@google-cloud/tasks');
const client = new CloudTasksClient();

//See https://cloud.google.com/tasks/docs/tutorial-gcf
module.exports = async (payload, scheduleTimeInSec) => {
  const project = process.env.GOOGLE_APPLICATION_PROJECTID;
  const queue = process.env.QUEUE_NAME;
  const location = process.env.QUEUE_LOCATION;
  const callBackUrl = https://asia-south2-trial-288318.cloudfunctions.net/cloud-function-node-expres/;

  // Construct the fully qualified queue name.
  const parent = client.queuePath(project, location, queue);

  const body = Buffer.from(JSON.stringify(payload)).toString('base64');

  const task = {
    httpRequest: {
      httpMethod: 'POST',
      url: callBackUrl,
      headers: { 'Content-Type': 'application/json' },
      body
    },
    scheduleTime: {
      seconds: scheduleTimeInSec,
    }
  };

  if (process.env.GOOGLE_APPLICATION_SERVICE_ACCOUNT_EMAIL) {
    task.httpRequest.oidcToken = {
      serviceAccountEmail: process.env.GOOGLE_APPLICATION_SERVICE_ACCOUNT_EMAIL
    }
  }

  const request = {
    parent: parent,
    task: task,
  };

  // Send create task request.
  try {
    let [responses] = await client.createTask(request);

    return ({ sts: true, taskName: responses.name, msg: "Email Schedule Task Created" })
  }
  catch (e) {
    return ({ sts: true, err: true, errInfo: e, msg: "Unable to Schedule Task. Internal Error." })
  }
}

The process.env.GOOGLE_APPLICATION_SERVICE_ACCOUNT_EMAIL has Cloud Functions Invoker role and the Cloud Function has allAuthenticatedUsers member with role Cloud Functions Invoker as per the doc.

But still I am seeing the 401 resposnse recevied by Cloud Task and Cloud Function is not getting called(See below image):

Any comment on this, whats going wrong here


回答1:


This seems to be related that you have created the function in Firebase (guessing from the url). Seems the "Cloud Functions Invoker" is not enough for Firebase functions. I have replicated similar behavior on HelloWorld function from Firebase. The error is differnet (403) but I hope it will help you to troubleshoot the same way.

After creation helloWorld in Firebase I tested it with glcoud command in following steps:

  1. Create service acount with role "Cloud Functions Invoker" or use exiting one
  2. Download key for the account in JSON.
  3. Change gcloud to act as service account:
gcloud auth activate-service-account <service-account@email> --key-file=<key-form-step-2.json>
  1. gcloud functions call helloWorld

As the result of last action I got this error:

ERROR: (gcloud.functions.call) ResponseError: status=[403], code=[Forbidden], message=[Permission 'cloudfunctions.functions.call' denied on resource 'projects/functions-asia-test-vitooh/locations/us-central1/functions/helloWorld' (or reso
urce may not exist).]

So I created custom role in IAM: Cloud Functions Invoker + Firebase adding permission from the error massage cloudfunctions.functions.call.

The function started to work with the same gcloud functions call:

executionId: 3fgndpolu981
result: Hello from Firebase!

I think it will work as well. You can try add the same permission. If it wont work, try the same testing.

References:

  • gcloud auth command
  • create custom role in Cloud IAM
  • gcloud function call


来源:https://stackoverflow.com/questions/64869054/facing-challenge-to-invoke-cloud-function-from-cloud-task-using-oidctoken

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!