serverless-google-cloudfunctions
serverless-google-cloudfunctions copied to clipboard
serverless
fix: update the method by which IAM roles are applied
This implementation is a pretty sizable departure of the previous implementation attempt (https://github.com/serverless/serverless-google-cloudfunctions/pull/219) which did not work as anticipated (https://github.com/serverless/serverless-google-cloudfunctions/issues/222) because it seems like the documented configuration/behavior for setting via deploymentmanager does not work as expected.
This approach does offer a bit better granularity of how functions IAM policies can be defined though, which is nice.
IAM roles are applied after a function is deployed/updated.
Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: Compiling function "first"...
Serverless: Uploading artifacts...
Serverless: Artifacts successfully uploaded...
Serverless: Updating deployment...
Serverless: Checking deployment update progress...
..........................
Serverless: Done...
Serverless: Setting IAM policies...
Service Information
...
Note: In order to apply IAM policies to functions, the serviceaccount you are using for serverless deploys will need the cloudfunctions.functions.setIamPolicy permission. This permission is not granted by the default cloudfunctions roles so will require you to create a custom policy.
If you do not have the appropriate permissions, you should get an error message stating you lack the permission:
Error --------------------------------------------------
Error: Permission 'cloudfunctions.functions.setIamPolicy' denied on resource 'projects/project/locations/us-central1/functions/test-svc-dev-first' (or resource may not exist).
at Gaxios._request (/Users/edaniszewski/dev/edaniszewski/serverless-google-cloudfunctions/node_modules/gaxios/src/gaxios.ts:108:15)
at processTicksAndRejections (internal/process/task_queues.js:89:5)
at JWT.requestAsync (/Users/edaniszewski/dev/edaniszewski/serverless-google-cloudfunctions/node_modules/google-auth-library/build/src/auth/oauth2client.js:341:18)
IAM policies can be set a number of different ways.
Globally
service: test-svc
provider:
name: google
runtime: python37
region: us-central1
project: project-name
credentials: ~/.gcloud/keyfile.json
# allowUnauthenticated mirrors the gcloud command line --allow-unauthenticated which
# adds the 'roles/cloudfunctions.invoker' role for the 'allUsers' member. Setting it globally
# applies it to all configured functions.
allowUnauthenticated: true
# Finer-grained IAM settings. This allows you to specify any number of bindings for functions,
# whether they are for built-in roles or custom roles. Setting it globally here applies the bindings
# to all configured functions.
iam:
bindings:
- role: roles/cloudfunctions.invoker
members:
- user:[email protected]
...
Per-function
service: test-svc
provider:
name: google
runtime: python37
region: us-central1
project: project-name
credentials: ~/.gcloud/keyfile.json
functions:
first:
handler: http
events:
- http: path
# Sets 'roles/cloudfunctions.invoker' for 'allUsers' for this function
allowUnauthenticated: true
# Custom IAM declarations for this function.
iam:
bindings:
- role: roles/cloudfunctions.invoker
members:
- user:[email protected]
Reference on how to define members: https://cloud.google.com/iam/docs/reference/rest/v1/Policy#Binding
IAM policies are merged between the global/function-local scope as well. This definition:
service: test-svc
provider:
name: google
runtime: python37
region: us-central1
project: project-name
credentials: ~/.gcloud/keyfile.json
iam:
bindings:
- role: roles/cloudfunctions.invoker
members:
- user:[email protected]
- role: customRole
members:
- allUsers
functions:
first:
handler: http
events:
- http: path
allowUnauthenticated: true
iam:
bindings:
- role: roles/cloudfunctions.admin
members:
- user:[email protected]
- role: roles/cloudfunctions.invoker
members:
- user:[email protected]
the full set of IAM policies would get merged to
- role: roles/cloudfunctions.invoker
members:
- allUsers
- user:[email protected]
- user:[email protected]
- role: customRole
members:
- allUsers
- role: roles/cloudfunctions.admin
members:
- user:[email protected]
There are some caveats with this approach which this PR does not address:
- If you deploy a function with an IAM binding and later remove that IAM binding from your serverless config, the IAM binding is not removed from the function. I didn't see any API documentation (https://cloud.google.com/functions/docs/reference/rest/v1/projects.locations.functions) for how to remove IAM bindings, so to do this, you would need to
sls removeand re-deploy. - If setting IAM policies fail, the deployment is not cleaned up. I think this is okay behavior. The
sls deploycommand will fail, but since IAM policies are applied to functions after deployment manager is setup and creates the functions, a failure to set policy will not automatically remove functions. - There is currently no explicit check that the configured IAM policies were applied. This could be added in the future if needed, but it seems like its already implicitly there by virtue of the
setIamPolicycall failing or not.
Fixes #222
Also related:
- #205
I've updated the PR with some of your recommendations. I'm not sure I've handled the orphaned promises correctly, so I may need further guidance there.
I also didn't move towards using native promises instead of bluebird since it feels like transitioning from bluebird to native is a bit out-of-scope for this PR and feels to me like that project-wide change should be in its own PR
it feels like transitioning from bluebird to native is a bit out-of-scope for this PR
Yes definitely, but to avoid increase of technical debt we should not introduce any new code on Bluebird (it's not a problem to use native promises together with Bluebird). Any new code should be constructed with async/await and native promises.
@medikoo - sorry for the delay here and being a bother, but do you know of any examples (e.g. in the serverless repo or elsewhere) of migrating from bluebird to native promises? I'm a bit new to JS promises, and even though I feel kinda close to getting it right, I'm hoping there is an example for me to use as a reference and validate against.
Wondering what needs to be done for this merge? New to OSS but would love IAM capabilities with GCP Functions
Just throwing in my two cents, would love for the PR to be merged as I'm looking for a way to "allowUnauthenticated" on deploy as opposed to having to manually add the permission per function in google cloud console.
@KavinJey @mrlucasrib @cgossain Do you think you can finalize this PR? Aside of suggestions pointed in review process it needs now updating with master
Any plans for merging this PR soon? I am looking for the "allowUnauthenticated" option.
Any status update on this? This is certainly a very useful PR and a very much needed one.
I too would be interested in this functionality. I had to write a script just to get around this but it’s an extra thing to manage.
It would be great if this fix could be merged soon. We're using deployment manager to manage all our cloud functions and currently have to manually assign permissions to public HTTP functions after deploy to work around this bug.
In the meanwhile... this is a decent workaround, although you'll have to install another plugin.
https://github.com/serverless/serverless-google-cloudfunctions/issues/205#issuecomment-658759740
@J-Rojas thanks for the tips on how to update. Simple stuff, but since I'm not really a JS developer I was just unfamiliar.
Hopefully with these updates, this should now be ready for review + merge.
@edaniszewski not a problem, I'm glad I can help and thanks for taking the time to fix this.
@medikoo bump... can we get this merged since your requested changes have been addressed?
Any updates on this? This is really blocking us from moving to GCP from AWS.
