从云函数调用(私有)云函数

Question

我一直得到403的测试代码如下。是只有我一个人，还是在同一个项目中调用一个函数过于复杂？我做了一些这里和这里的研究。

我已经在这两个函数的默认服务帐户上设置了云函数调用程序。和allow internal traffic

所以我已经尝试了下面这两种密码。令牌被打印到第一个函数的日志中，那么为什么我仍然得到403呢？

Script1:

const axios = require("axios");
/**
 * Responds to any HTTP request.
 *
 * @param {!express:Request} req HTTP request context.
 * @param {!express:Response} res HTTP response context.
 */
exports.helloWorld = async (req, res) => {
  console.log(JSON.stringify(process.env));

  const sample_api_url = `https://someRegionAndSomeProject.cloudfunctions.net/sample-api`;
  const metadataServerURL =
    "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=";
  const tokenUrl = metadataServerURL + sample_api_url;

  // Fetch the token
  const tokenResponse = await axios(tokenUrl, {
    method: "GET",
    headers: {
      "Metadata-Flavor": "Google",
    },
  });

  const token = tokenResponse.data;

  console.log(token);

  const functionResponse = await axios(sample_api_url, {
    method: "GET",
    headers: {
      Authorization: `Bearer ${token}`,
      "Content-Type": "application/json",
    },
  });
  
  const data = functionResponse.data;
  console.log(data);
  res.status(200).json({ token, data });
};

Script2:

const {GoogleAuth} = require('google-auth-library');
/**
 * Responds to any HTTP request.
 *
 * @param {!express:Request} req HTTP request context.
 * @param {!express:Response} res HTTP response context.
 */
exports.helloWorld = async (req, res) => {

const url = 'https://someRegionAndSomeProject.cloudfunctions.net/sample-api';
const targetAudience = url;
const auth = new GoogleAuth();
const client = await auth.getIdTokenClient(targetAudience);
const response = await client.request({url});

res.status(200).json({data: response.data})

};

Answer 1

基于你的帖子，我创造了一个对我有用的样本。我创建了两个GCP函数"func1“和"func2”。然后，我决定了如何从func2中调用func1，其中func2仅暴露于运行func1的服务帐户标识中。

func1的最终代码如下：

const func2Url = 'https://us-central1-XXX.cloudfunctions.net/func2';
const targetAudience = func2Url;
const {GoogleAuth} = require('google-auth-library');
const auth = new GoogleAuth();

async function request() {
  console.info(`request ${func2Url} with target audience ${targetAudience}`);
  const client = await auth.getIdTokenClient(targetAudience);
  const res = await client.request({url: func2Url});
  console.info(res.data);
  return res;
}


exports.func1 = async (req, res) => {
  let message = `Hello from func1`;
  try {
    let response = await request();
    res.status(200).send(`${message} + ${response.data}`);
  }
  catch(e) {
    console.log(e);
    res.status(500).send('failed');
  }
};

这里使用的主要菜谱是Google 这里中描述的。我还发现这个中篇很有用。