使用 Firebase Cloud Functions 的 Google Cloud API DomainMapping答案

【问题标题】：Google Cloud API DomainMapping using Firebase Cloud Functions使用 Firebase Cloud Functions 的 Google Cloud API DomainMapping
【发布时间】：2020-03-15 18:40:52
【问题描述】：

我正在尝试使用 Firebase Cloud Functions 以编程方式将域映射添加到服务。到目前为止，在发送 POST 请求并收到 200 成功时，能够获得正确的 json 字段格式。这是正文请求/响应：

请求：

{
        "apiVersion": "domains.cloudrun.com/v1", 
        "kind": "DomainMapping", 
        "metadata": {
            "annotations": {}, 
            "labels": {}, 
            "name": "subdomain.example.com", 
            "namespace": "project-id"
        }, 
        "spec": {
            "routeName": "service-name"
        }, 
        "status": {}
}

回应：

{ apiVersion: 'domains.cloudrun.com/v1',
  kind: 'DomainMapping',
  metadata: 
   { name: 'subdomain.example.com',
     namespace: '123456789',
     selfLink: '/apis/domains.cloudrun.com/v1/namespaces/123456789/domainmappings/subdomain.example.com',
     uid: 'eiv0wr9f-8afec-47fdsf-fdsdc-fjosf0fne78',
     resourceVersion: 'FFFJKA+F32',
     generation: 1,
     creationTimestamp: '2019-11-23T21:07:49.167253Z',
     labels: { 'cloud.googleapis.com/location': 'us-central1' },
     annotations: 
      { 'serving.knative.dev/creator': 'project-id@appspot.gserviceaccount.com',
        'serving.knative.dev/lastModifier': 'project-id@appspot.gserviceaccount.com' } },
  spec: { routeName: 'service-name' },
  status: {} }"

在检查 DomainMapping 的状态时，响应消息包括“呼叫者无权管理域”，即使该域已通过 google 域验证。这是 IAM 问题还是其他问题？任何见解都会有所帮助。

以下是请求域映射状态时的完整响应：

{
  "apiVersion": "domains.cloudrun.com/v1",
  "kind": "DomainMapping",
  "metadata": {
    "name": "subdomain.example.com",
    "namespace": "123456789",
    "selfLink": "/apis/domains.cloudrun.com/v1/namespaces/123456789/domainmappings/subdomain.example.com",
    "uid": "fdns0fs5-8fw-437f-1514c-n89fwnnav0n",
    "resourceVersion": "gn902fnfjd",
    "generation": 1,
    "creationTimestamp": "2019-11-23T21:07:49.167253Z",
    "labels": {
      "cloud.googleapis.com/location": "us-central1"
    },
    "annotations": {
      "serving.knative.dev/creator": "project-id@appspot.gserviceaccount.com",
      "serving.knative.dev/lastModifier": "project-id@appspot.gserviceaccount.com"
    }
  },
  "spec": {
    "routeName": "service-name"
  },
  "status": {
    "conditions": [
      {
        "type": "Ready",
        "status": "False",
        "reason": "PermissionDenied",
        "message": "Caller is not authorized to administer the domain 'subdomain.example.com'. If you own 'subdomain.example.com', you can obtain authorization by verifying ownership of the domain, or any of its parent domains, via the Webmaster Central portal: https://www.google.com/webmasters/verification/verification?domain=subdomain.example.com. We reccomend verifying ownership of the largest scope you wish to use with subdomains (eg. verify 'example.com' if you wish to map 'subdomain.example.com').",
        "lastTransitionTime": "2019-11-23T21:07:49.719Z"
      },
      {
        "type": "CertificateProvisioned",
        "status": "False",
        "reason": "PermissionDenied",
        "message": "Certificate will not be provisioned unless the domain is made routable.",
        "lastTransitionTime": "2019-11-23T21:07:49.719Z"
      },
      {
        "type": "DomainRoutable",
        "status": "False",
        "reason": "PermissionDenied",
        "message": "Caller is not authorized to administer the domain 'fdsfdsfsf-gsyjtfounzbunfetzf50.a.review.activit.app'. If you own 'fdsfdsfsf-gsyjtfounzbunfetzf50.a.review.activit.app', you can obtain authorization by verifying ownership of the domain, or any of its parent domains, via the Webmaster Central portal: https://www.google.com/webmasters/verification/verification?domain=subdomain.example.com. We reccomend verifying ownership of the largest scope you wish to use with subdomains (eg. verify 'example.com' if you wish to map 'subdomain.example.com').",
        "lastTransitionTime": "2019-11-23T21:07:49.719Z"
      },
      {
        "type": "Retry",
        "status": "True",
        "reason": "FailedUnknown",
        "message": "System will retry after 0:59:59 from lastTransitionTime for attempt 7.",
        "lastTransitionTime": "2019-11-23T23:18:06.067Z",
        "severity": "Info"
      }
    ],
    "observedGeneration": 1
  }
}

【问题讨论】：

cloud.google.com/run/docs/reference/rest/v1/… 为了便于理解，请在 Google Cloud Console 中创建服务。然后做一个GET。然后，您将看到 DomainMapping 对象在 JSON 中的外观。使用与CREATE 相同的格式。另一种方法是使用gcloud run services describe <NAME> --log-http。这将向您显示 HTTP 请求和响应。您甚至可以使用 CLI 创建服务。
@JohnHanley 这太棒了！知道有一个 --log-http 非常有帮助。我能够获得提交给 Cloud Run API 端点的实际正文：{ "apiVersion": "domains.cloudrun.com/v1", "kind": "DomainMapping", "metadata": { "annotations": {}, "labels": {}, "name": "subdomain.example.com", "namespace": "servicename" }, "spec": { "routeName": "template-demo" }, "status": {} }; 不幸的是，这仍然返回错误。
使用格式化的详细信息编辑您的问题。包括请求、响应和错误消息。
@JohnHanley 我已更新问题以更好地反映问题。
经过验证的域只能由经过验证的用户使用。验证用户列表中的用户 ID（或服务帐户电子邮件）是否位于 google.com/webmasters/verification/home

标签： google-cloud-platform google-cloud-functions google-cloud-run

【解决方案1】：

感谢@JohnHandley 的帮助，我能够使用 google sdk cdi 上的 --log-http 标志找出提交格式并生成请求：

{
        "apiVersion": "domains.cloudrun.com/v1", 
        "kind": "DomainMapping", 
        "metadata": {
            "annotations": {}, 
            "labels": {}, 
            "name": "domainMapping.example.com", 
            "namespace": "project-id"
        }, 
        "spec": {
            "routeName": "service-name"
        }, 
        "status": {}
    };

确保您还将服务帐户添加到您正在映射的域的已验证所有者列表中，该列表位于 google.com/webmasters/verification/home。

【讨论】：

欣赏这一点，遇到同样的问题（使用 terraform 部署到 Cloud Run，但问题是相同的）。唯一需要做的就是将服务帐户的电子邮件地址添加为网站管理员工具中的委派域所有者。