fix: update the method by which IAM roles are applied #223
Conversation
There was a problem hiding this comment.
Thank you @edaniszewski Please see my comments, they're mostly style related
deploy/lib/setIamPolicy.js
Outdated
| 'use strict'; | ||
|
|
||
| const _ = require('lodash'); | ||
| const BbPromise = require('bluebird'); |
There was a problem hiding this comment.
Let's stick just to native promises (note we can fully use async/await). I believe we should get rid of bluebird, as we plant do so in a Framework).
If you find it difficult with native promises, let me know, I'll try to help
There was a problem hiding this comment.
I've tried to move to using native promises, but since Im not really experienced in the area and don't have other examples to go by, I haven't been able to get it to work quite right. If you have an example somewhere of what changing from bluebird to native looks like, it'd be much appreciated!
deploy/lib/setIamPolicy.js
Outdated
| } | ||
| this.serverless.cli.log('Setting IAM policies...'); | ||
|
|
||
| _.forEach(policies, (value, key) => { |
There was a problem hiding this comment.
Let's use Object.entries().forEach instead (no point to use lodash, when we can do same with native functions)
deploy/lib/setIamPolicy.js
Outdated
| }, | ||
| }; | ||
|
|
||
| this.provider.request( |
There was a problem hiding this comment.
This looks as orphaned promise
deploy/lib/setIamPolicy.js
Outdated
| `Unable to set IAM bindings (${value}) for "${key}": function not found for`, | ||
| ` project "${this.serverless.service.provider.project}" in region "${this.options.region}".`, | ||
| ].join(''); | ||
| throw new Error(errorMessage); |
There was a problem hiding this comment.
Let' use ServerlessError, it'll provide more user friendly message (regular errors should be thrown only in case of programmer errors, but not operational errors)
package/lib/compileFunctions.js
Outdated
| // Collect the configured IAM bindings at the function and provider level and merge the | ||
| // members for each defined role. This transforms the array of IAM bindings into a mapping | ||
| // in order to easily merge. | ||
| const iamBindings = _.reduce( |
package/lib/compileFunctions.js
Outdated
| // members for each defined role. This transforms the array of IAM bindings into a mapping | ||
| // in order to easily merge. | ||
| const iamBindings = _.reduce( | ||
| _.concat( |
|
I've updated the PR with some of your recommendations. I'm not sure I've handled the orphaned promises correctly, so I may need further guidance there. I also didn't move towards using native promises instead of bluebird since it feels like transitioning from bluebird to native is a bit out-of-scope for this PR and feels to me like that project-wide change should be in its own PR |
Yes definitely, but to avoid increase of technical debt we should not introduce any new code on Bluebird (it's not a problem to use native promises together with Bluebird). Any new code should be constructed with async/await and native promises. |
|
@medikoo - sorry for the delay here and being a bother, but do you know of any examples (e.g. in the serverless repo or elsewhere) of migrating from bluebird to native promises? I'm a bit new to JS promises, and even though I feel kinda close to getting it right, I'm hoping there is an example for me to use as a reference and validate against. |
|
Wondering what needs to be done for this merge? New to OSS but would love IAM capabilities with GCP Functions |
|
@medikoo Please approve this fix |
|
Just throwing in my two cents, would love for the PR to be merged as I'm looking for a way to "allowUnauthenticated" on deploy as opposed to having to manually add the permission per function in google cloud console. |
|
@KavinJey @mrlucasrib @cgossain Do you think you can finalize this PR? Aside of suggestions pointed in review process it needs now updating with master |
|
Any plans for merging this PR soon? I am looking for the "allowUnauthenticated" option. |
|
Any status update on this? This is certainly a very useful PR and a very much needed one. |
|
Plans on getting this merged? |
|
I too would be interested in this functionality. I had to write a script just to get around this but it’s an extra thing to manage. |
|
This PR is not finalized. Can you can help with finalizing it? |
|
It would be great if this fix could be merged soon. We're using deployment manager to manage all our cloud functions and currently have to manually assign permissions to public HTTP functions after deploy to work around this bug. |
There was a problem hiding this comment.
@edaniszewski I have provided examples as to how you can use native promises instead of bluebird. Please apply these changes and resolve any merge conflicts. It would great to get this merged.
deploy/lib/setIamPolicy.js
Outdated
| } | ||
| }); | ||
|
|
||
| return BbPromise.all(promises); |
There was a problem hiding this comment.
The return can be rewritten as
return Promise.all(promises)
deploy/lib/setIamPolicy.js
Outdated
|
|
||
| module.exports = { | ||
| setIamPolicy() { | ||
| return BbPromise.bind(this).then(this.getFunctions).then(this.setPolicies); |
There was a problem hiding this comment.
Can be rewritten as:
return Promise.resolve().then(() => this.getFunctions()).then(() => this.setPolicies())
deploy/lib/setIamPolicy.js
Outdated
| // If there are no IAM policies configured with any function, there is nothing to | ||
| // do here. | ||
| if (!policies || !Object.keys(policies).length) { | ||
| return BbPromise.resolve(); |
There was a problem hiding this comment.
Can be rewritten as
return Promise.resolve()
|
In the meanwhile... this is a decent workaround, although you'll have to install another plugin. |
* removes the previous implementation using deploymentmanager, as it does not appear to work as documented * adds support for setting IAM via cloudfunctions API * adds test cases
|
@J-Rojas thanks for the tips on how to update. Simple stuff, but since I'm not really a JS developer I was just unfamiliar. Hopefully with these updates, this should now be ready for review + merge. |
|
@edaniszewski not a problem, I'm glad I can help and thanks for taking the time to fix this. |
|
@medikoo bump... can we get this merged since your requested changes have been addressed? |
|
I really need this too! |
|
Status of this MR? |
|
+1 on this PR; would be very useful! |
|
Any updates on this? This is really blocking us from moving to GCP from AWS. |
This implementation is a pretty sizable departure of the previous implementation attempt (#219) which did not work as anticipated (#222) because it seems like the documented configuration/behavior for setting via
deploymentmanagerdoes not work as expected.This approach does offer a bit better granularity of how functions IAM policies can be defined though, which is nice.
IAM roles are applied after a function is deployed/updated.
Note: In order to apply IAM policies to functions, the serviceaccount you are using for serverless deploys will need the
cloudfunctions.functions.setIamPolicypermission. This permission is not granted by the default cloudfunctions roles so will require you to create a custom policy.If you do not have the appropriate permissions, you should get an error message stating you lack the permission:
IAM policies can be set a number of different ways.
Globally
Per-function
IAM policies are merged between the global/function-local scope as well. This definition:
the full set of IAM policies would get merged to
There are some caveats with this approach which this PR does not address:
sls removeand re-deploy.sls deploycommand will fail, but since IAM policies are applied to functions after deployment manager is setup and creates the functions, a failure to set policy will not automatically remove functions.setIamPolicycall failing or not.Fixes #222
Also related: