虽然我能够提供一个http触发的GCP云函数并公开调用它,但我似乎无法提供第二个函数以公开调用。
我的Terraform服务帐户分配了编辑器角色。
google_cloudfunctions_function_iam_member.v2invoker: Creating...
╷
│ Error: Error applying IAM policy for cloudfunctions cloudfunction "projects/myproject/locations/us-central1/functions/v2": Error setting IAM policy for cloudfunctions cloudfunction "projects/myproject/locations/us-central1/functions/v2": googleapi: Error 403: Permission 'cloudfunctions.functions.setIamPolicy' denied on resource 'projects/myproject/locations/us-central1/functions/v2' (or resource may not exist).
│
│ with google_cloudfunctions_function_iam_member.v2invoker,
│ on main.tf line 460, in resource "google_cloudfunctions_function_iam_member" "v2invoker":
│ 460: resource "google_cloudfunctions_function_iam_member" "v2invoker" {
澄清-函数资源本身是正确提供的,只有iam_member资源没有。
我的Terraform配置:
resource "google_cloudfunctions_function" "v2" {
name = "v2"
runtime = "nodejs12"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.functions.name
source_archive_object = google_storage_bucket_object.nodejs_functions.name
entry_point = "v2"
trigger_http = true
}
resource "google_cloudfunctions_function_iam_member" "v2invoker" {
project = google_cloudfunctions_function.v2.project
region = google_cloudfunctions_function.v2.region
cloud_function = google_cloudfunctions_function.v2.name
role = "roles/cloudfunctions.invoker"
member = "allUsers"
}
output "function-v2" {
value = google_cloudfunctions_function.v2.https_trigger_url
}
增加了第一个(成功)函数的地形配置:
resource "google_cloudfunctions_function" "helloWorld" {
name = "helloWorld"
runtime = "nodejs12"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.functions.name
source_archive_object = google_storage_bucket_object.nodejs_functions.name
entry_point = "helloWorld"
trigger_http = true
}
# IAM entry so all users can invoke the function
resource "google_cloudfunctions_function_iam_member" "invoker" {
project = google_cloudfunctions_function.helloWorld.project
region = google_cloudfunctions_function.helloWorld.region
cloud_function = google_cloudfunctions_function.helloWorld.name
role = "roles/cloudfunctions.invoker"
member = "allUsers"
}
output "function-helloWorld" {
value = google_cloudfunctions_function.helloWorld.https_trigger_url
}
terraform当前使用的服务帐户是我使用"Editor"创建的帐户。作用。
根据GCP IAM文档:
注意:Editor角色包含为大多数Google Cloud服务创建和删除资源的权限。但是,它不包含对所有服务执行所有操作的权限. 有关如何检查角色是否具有所需权限的详细信息,请参阅上面的部分。
您的编辑器角色绝对没有权限对云功能执行cloudfunctions.functions.setIamPolicy操作(如错误消息所述)。
为业务帐号分配roles/cloudfunctions.admin角色
它绝对应该具有与云功能相关的所有权限,包括但不限于在功能上设置IAM策略。