有没有办法为我的Google Cloud Functions HTTP endpoints 创建防火墙规则？

1 回答

• 2

  您应该关注的不仅仅是防火墙规则，而是使用 Access Tokens 验证您对Cloud功能的请求 .

  Here there is a good example on how to do this .

  基本上，您将创建一个HTTP触发的 Cloud 功能 .

  首先创建一个存储桶，我的称为auth-123 . 然后放入 Cloud 端shell并将项目名称和存储桶定义为环境变量：

  jordim@yrmv-191108:~$ export BUCKET=auth-123
  jordim@yrmv-191108:~$ export PROJECT=yrmv-191108
  

  创建几个服务帐户

  jordim@yrmv-191108:~$ gcloud iam service-accounts create alpha-account --
  display-name "Account 1"
  jordim@yrmv-191108:~$ gcloud iam service-accounts create beta-account --display-name "Account 2"
  Created service account [beta-account].
  

  现在来创建功能！在 Cloud 外壳上的文件夹上首先创建一个包含依赖项的package.json：

  jordim@yrmv-191108:~/cloudfunction$ cat > package.json
  {
    "dependencies": {
      "googleapis": "21.2"
    }
  }
  

  现在功能本身：

  const Google = require('googleapis');
  const BUCKET = 'auth-123'; // Replace with name of your bucket
  
  /**
   * Cloud Function.
   *
   * @param {Object} req Cloud Function request context.
   * @param {Object} res Cloud Function response context.
   */
  exports.secureFunction = function secureFunction(req, res) {
      var accessToken = getAccessToken(req.get('Authorization'));
      var oauth = new Google.auth.OAuth2();
      oauth.setCredentials({access_token: accessToken});
  
      var permission = 'storage.buckets.get';
      var gcs = Google.storage('v1');
      gcs.buckets.testIamPermissions(
          {bucket: BUCKET, permissions: [permission], auth: oauth}, {},
          function (err, response) {
              if (response && response['permissions'] && response['permissions'].includes(permission)) {
                  authorized(res);
              } else {
                  res.status(403).send("The request is forbidden.");
              }
          });
  
  
  
  function authorized(res) {
              res.send("The request was successfully authorized.");
              // The code to execute goes here! :)
  }
  }
  
  
  function getAccessToken(header) {
      if (header) {
          var match = header.match(/^Bearer\s+([^\s]+)$/); //We are looking for an HTTP request with the content Bearer: + a token
          if (match) {
              return match[1];
          }
      }
  
      return null;
  }
  

  在这种情况下，我们检查启动请求的帐户是否具有storage.buckets.get权限，但只需更改变量权限即可将其更改为任何其他权限 .

  然后部署该功能：

  jordim@yrmv-191108:~/cloudfunction$ gcloud beta  functions deploy secureFunction --stage-bucket $BUCKET --trigger-http
  

  现在，您有一个 Cloud 功能，只有在收到来自授权帐户的请求时才触发其内容 . 让我们为之前创建的帐户制作令牌：

  jordim@yrmv-191108:~/cloudfunction$ gcloud iam service-accounts keys create --iam-account alpha-account@$PROJECT.iam.gserviceaccount.com ./alpha-account.json
      jordim@yrmv-191108:~/cloudfunction$ export ALPHA_ACCOUNT_TOKEN=$(GOOGLE_APPLICATION_CREDENTIALS=./alpha-account.json gcloud auth application-default print-access-token)
  
  
  jordim@yrmv-191108:~/cloudfunction$ gcloud iam service-accounts keys create --iam-account beta-account@$PROJECT.iam.gserviceaccount.com ./beta-account.json
  created key [4a9251d7611e74da8b4565657b52b7c940606630] of type [json] as [./beta-account.json] for [beta-account@yrmv-191108.iam.gserviceaccount.com]
  jordim@yrmv-191108:~/cloudfunction$ export BETA_ACCOUNT_TOKEN=$(GOOGLE_APPLICATION_CREDENTIALS=./beta-account.json gcloud auth application-default print-access-token)
  

  我们现在在json上有auth令牌，并且还将它们作为env var导出以便于测试 . 让我们向ALPHA用户授予权限，而不是将其提供给BETA用户：

  jordim@yrmv-191108:~/cloudfunction$ gsutil acl ch -u alpha-account@$PROJECT.iam.gserviceaccount.com:R gs://auth-123
  

  现在要测试：

  jordim@yrmv-191108:~/cloudfunction$ curl https://us-central1-yrmv-191108.cloudfunctions.net/secureFunction -H "Authorization: Bearer $ALPHA_ACCOUNT_TOKEN"
  The request was successfully authorized.
  
  jordim@yrmv-191108:~/cloudfunction$ curl https://us-central1-yrmv-191108.cloudfunctions.net/secureFunction -H "Authorization: Bearer $BETA_ACCOUNT_TOKEN"
  The request is forbidden
  

  您可以将此逻辑应用于任何 Cloud 功能，除非请求在其标头上附带有效标记，否则用于拒绝它的资源量最小 .

  回复于 2024-04-28T01:18:05+08:00