Managing rights to access functions
You can make a function public or private, as well as view the roles assigned for the function.
Make your function public
To let any user invoke the function, you must make it public. To do this, enable invoking the function over HTTP without passing the authorization header.
Make the function public:
- Open Cloud Functions in the folder with the function that you want to make public.
- Select it from the list of functions.
- On the Overview page under General information, click the toggle in the Public function field.
Make the function public:
$ yc serverless function allow-unauthenticated-invoke <function name>
Result:
done (1s)
You can also make the function public by assigning the serverless.functions.invoker
role to it for all unauthorized users (allUsers
system group). To learn how to assign a role to a function, see Assigning roles.
View the roles assigned to the function
View the roles assigned to the function:
$ yc serverless function list-access-bindings <function name>
Result:
+------------------------------+--------------+------------+
| ROLE ID | SUBJECT TYPE | SUBJECT ID |
+------------------------------+--------------+------------+
| serverless.functions.invoker | system | allUsers |
+------------------------------+--------------+------------+
Make the function private
To invoke a private function via HTTP, you must authenticate.
Make the function private:
- Open Cloud Functions in the folder with the function that you want to make private.
- Select it from the list of functions.
- On the Overview page under Common function, click the toggle in the Public function field.
Make the function private:
$ yc serverless function deny-unauthenticated-invoke <function name>
Result:
done (1s)
You can also make the function private by revoking its serverless.functions.invoker
role. To learn how to revoke a role, see Revoke a role for a resource.
For more information about access rights, see Access management.