Google Cloud功能授权失败
我有一个私有Google Cloud功能.因此,我想使用 Authorization:Bearer token Header对云功能进行身份验证.但是我得到 401 Unauthorized 作为响应.
I have a Private Google Cloud Function. So I want to Authenticate to the Cloud Function with Authorization: Bearer token Header. But I'm getting 401 Unauthorized as the response.
我使用以下方法创建了私有云功能:
I created the private Cloud Function using:
gcloud beta函数部署MyFunction --runtime go111--trigger-http-内存128 --region us-central1-源gs://bucketname/code.zip
gcloud beta functions deploy MyFunction --runtime go111 --trigger-http --memory 128 --region us-central1 --source gs://bucketname/code.zip
我创建了一个服务帐户,并为其分配了访问云功能的权限:
I created a service account and assigned it permission to access the cloud function:
gcloud beta函数add-iam-policy-binding MyFunction--member = serviceAccount:cf-access@my-project.iam.gserviceaccount.com --role = roles/cloudfunctions.admin
gcloud beta functions add-iam-policy-binding MyFunction --member=serviceAccount:cf-access@my-project.iam.gserviceaccount.com --role=roles/cloudfunctions.admin
输出:
bindings:
- members:
- serviceAccount:cf-access@my-project.iam.gserviceaccount.com
role: roles/cloudfunctions.admin
etag: BwWOGyVdpDg=
version: 1
现在,我下载了服务帐户json文件.
Now, I downloaded the service account json file.
因此,现在为了访问Cloud Function,我需要添加带有Bearer令牌的Authorization Header.为了生成承载令牌,我使用以下Java代码:
So now in order to access the Cloud Function, I will need to add the Authorization Header with Bearer token. For generating the bearer token, I use following java code:
String fileName = "path/service-account.json";
FileInputStream keyFileInputStream = new FileInputStream(fileName);
GoogleCredential credential = GoogleCredential.fromStream(keyFileInputStream).createScoped(Collections.singleton(ContainerScopes.CLOUD_PLATFORM));
credential.refreshToken();
String token = credential.getAccessToken();
我在授权标题中使用此令牌.
I use this token in the Authorization Header.
URL-
us-central1- [项目] .cloudfunctions.net/MyFunction
us-central1-[project].cloudfunctions.net/MyFunction
标题-
授权:Bearer ya29.c.YpN3bEGV-H4WyTeLQn9kxxFq1Js7mcMtoESW1C-5HstmEgdaXR_gY_stxnlpJna8IL25VvnpwTg5tFL5OorcfBT2_Qtld7FViffbZRs
Authorization: Bearer ya29.c.YpN3bEGV-H4WyTeLQn9kxxFq1Js7mcMtoESW1C-5HstmEgdaXR_gY_stxnlpJna8IL25VvnpwTg5tFL5OorcfBT2_Qtld7FViTbzHas4AiUUEme7mffXRtZOn29
我使用邮递员发送请求.对于此请求,我得到输出:
I use Postman to send the request. For this request, I get the output:
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>401 Unauthorized</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Unauthorized</h1>
<h2>Your client does not have permission to the requested URL
<code>/MyFunction</code>.
</h2>
<h2></h2>
</body>
</html>
可能是什么问题?令牌生成逻辑是否有所不同?
What could be wrong? Is the token generation logic something different?
OAuth令牌有三种类型.刷新令牌,访问令牌,身份令牌.
There are three types of OAuth tokens. Refresh Token, Access Token, Identity Token.
您正在尝试使用OAuth访问令牌而不是OAuth身份令牌.
You are trying to use an OAuth Access Token instead of an OAuth Identity Token.
对于授权,Google Cloud Functions在 authorization:bearer HTTP标头中使用OAuth身份令牌.
For Authorization, Google Cloud Functions uses an OAuth Identity Token in the authorization: bearer HTTP header.
在您的问题中,您没有显示设置IAM成员对Cloud Function的访问权限.这意味着无论您使用什么身份令牌,都将被拒绝.
In your question, you do not show setting up IAM member access to the Cloud Function. That means no matter what Identity Token you use, all will be denied.