从云函数到应用引擎的请求返回错误401

2024-06-16 13:59:36 发布

您现在位置:Python中文网/ 问答频道 /正文
1364 3

我正在尝试从云函数向部署在默认GAE服务上的几个应用程序引擎端点发送请求。我的代码非常简单:

云功能

main.py

import logging
import requests

def main(event, context):
    bucketname = event['bucket']
    filename = event['name']
    endpoint = # Some logic extracting the endpoint to be used
    url = 'https://myproject.ew.r.appspot.com/{}'.format(endpoint)
    data = {
        'bucketname': bucketname,
        'filename': filename
    }
    r = requests.post(url, json=data)
    logging.info(r)
    return str(r)

云功能的部署包括:

gcloud functions deploy storage_to_gae --runtime python37 --trigger-resource $BUCKETNAME --trigger-event google.storage.object.finalize --region $REGION --source gcf/ --entry-point main --service-account cf-sa@myproject.iam.gserviceaccount.com

功能使用的服务帐户已授予服务帐户用户(roles/iam.serviceAccountUser)角色

应用程序引擎

app.yml

runtime: python37
service: default

但是,由于GAE服务上未显示任何日志,因此请求不会到达应用程序引擎。请求返回一个<Response [401]>错误代码,因此CF似乎无法访问应用程序引擎服务

我还需要哪些角色来提供我的cf-sa@myproject.iam.gserviceaccount.com服务帐户?我正在客户端环境上部署,因此权限有限,必须询问所需的确切角色


Tags: 引擎功能comevent应用程序mainmyproject部署
1条回答
网友
1楼 · 发布于 2024-06-16 13:59:36

在询问我客户的GCP团队后,他们使用IAP管理访问

我遵循了this文档的说明,能够向GAE端点发送请求

这是我的最终代码:

import requests
from google.oauth2 import id_token
from google.auth.transport.requests import Request

def make_iap_request(url, client_id, method='POST', **kwargs):
    """Makes a request to an application protected by Identity-Aware Proxy.

    Args:
        url: The Identity-Aware Proxy-protected URL to fetch.
        client_id: The client ID used by Identity-Aware Proxy.
        method: The request method to use
                    ('GET', 'OPTIONS', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE')
        **kwargs: Any of the parameters defined for the request function:
                        https://github.com/requests/requests/blob/master/requests/api.py
                        If no timeout is provided, it is set to 90 by default.

    Returns:
      The page body, or raises an exception if the page couldn't be retrieved.
    """
    # Set the default timeout, if missing
    if 'timeout' not in kwargs:
        kwargs['timeout'] = 90

    # Obtain an OpenID Connect (OIDC) token from metadata server or using service
    # account.
    open_id_connect_token = id_token.fetch_id_token(Request(), client_id)

    # Fetch the Identity-Aware Proxy-protected URL, including an
    # Authorization header containing "Bearer " followed by a
    # Google-issued OpenID Connect token for the service account.
    resp = requests.request(
        method, url,
        headers={'Authorization': 'Bearer {}'.format(
            open_id_connect_token)}, **kwargs)
            
    return resp.text

def main(event, context):
    bucketname = event['bucket']
    filename = event['name']

    endpoint = # Some logic extracting the endpoint to be used
    url = 'https://myproject.ew.r.appspot.com/{}'.format(endpoint)
    data = {
        'bucketname': bucketname,
        'filename': filename
    }
    client_id = 'myclientid'

    r = make_iap_request(url, client_id, 'POST', json=data)
    logging('info', r)
    return str(r)

相关问题 更多 >

    编程相关推荐