[英]An issue with restricting access to a cloud function based on API key through Cloud Endpoints
I try to restrict access to Google cloud function by defining API KEY in openapi.yaml我尝试通过在 openapi.yaml 中定义 API KEY 来限制对 Google 云 function 的访问
schemes:
- https
produces:
- application/json
security:
- api_key: []
securityDefinitions:
api_key:
type: "apiKey"
name: "mot"
in: "query"
paths:
/:
get:
summary: Greet a user
operationId: hello
Deployment steps:部署步骤:
1. gcloud run deploy apikeytst1 --image="gcr.io/endpoints-release/endpoints-runtime-serverless:2" --allow-unauthenticated --platform managed --project=xxxx
2. gcloud endpoints services deploy apikeytst.yaml --project xxxx
3. ./gcloud_build_image -s apikeytst1-yyyyyyyyy-ew.a.run.app -c 2020-10-08r0 -p xxxx
4. gcloud run deploy apikeytst1 --image="gcr.io/xxxxx/endpoints-runtime-serverless:apikeytst1-yyyyyyyyyy-ew.a.run.app-2020-10-08r0" --allow-unauthenticated --platform managed --project=xxxx
But anyone can invoice the function without the key.但是任何人都可以在没有密钥的情况下为 function 开具发票。
It seems like you followed the information provided by google in setting up the Swagger specification.看来您在设置 Swagger 规范时遵循了谷歌提供的信息。 It probably has to do something with your cloud endpoints deployment or permissions.
它可能与您的云端点部署或权限有关。 I would advise you to go through all the cloud endpoints steps again carefully.
我建议您再次仔细完成所有云端点步骤go。 If you correctly deployed cloud endpoints as a wrapper around your cloud function, you should not be able to invoke the cloud function directly.
如果您正确地将云端点部署为云 function 的包装器,您应该无法直接调用云 function。 Instead, use the cloud endpoints endpoint with an API key as a query parameter.
相反,使用带有 API 键的云端点端点作为查询参数。 One crucial step is to remove the allUsers invoker permissions from your cloud function and add the following:
一个关键步骤是从您的云 function 中删除 allUsers 调用者权限并添加以下内容:
gcloud functions add-iam-policy-binding FUNCTION_NAME \
--region FUNCTION_REGION \
--member "serviceAccount:ESP_PROJECT_NUMBER-compute@developer.gserviceaccount.com" \
--role "roles/cloudfunctions.invoker" \
--project FUNCTIONS_PROJECT_ID
Google requests that the first key must be a key with the name "key" or "api_key". Google 要求第一个密钥必须是名称为“key”或“api_key”的密钥。 After that (on the second etc positions), we can add keys with arbitrary names.
之后(在第二个等位置),我们可以添加任意名称的键。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.