tencent cloud

云函数

动态与公告
产品动态
产品公告
新手指引
产品简介
产品概述
相关概念
工作原理
产品优势
应用场景
相关产品
购买指南
计费概述
计费方式
计费项与计费方式
函数算力支持
免费额度
产品定价
计费示例
欠费与停服说明
快速入门
使用控制台创建一个事件函数
操作指南
配额管理
函数管理
Web 函数管理
日志管理
并发管理
触发器管理
函数 URL
自定义域名
版本管理
别名管理
权限管理
运行实例管理
插件管理
监控与告警管理
网络配置
层管理
执行配置
扩展存储管理
DNS 缓存配置
资源托管模式管理
近离线资源托管模式
工作流
触发器
触发器概述
触发器事件消息结构汇总
API 网关触发器
COS 触发器
CLS 触发器
定时触发器
CKafka 触发器
Apache Kafka 触发器
MQTT 触发器
触发器配置描述
MPS 触发器
CLB 触发器说明
云 API 触发器
开发指南
基本概念
测试云函数
环境变量
依赖安装
使用容器镜像
使用 Docker 安装依赖
错误类型与重试策略
死信队列
云函数接入数据库
自动化部署
云函数状态码
常见错误码解决方法
开发者工具
Serverless Web IDE
函数间调用 SDK
第三方工具
代码开发
Python
Node.js
Golang
PHP
Java
Custom Runtime
使用镜像部署函数
Web 框架部署
通过命令行完成框架部署
快速部署 Egg 框架
快速部署 Express 框架
快速部署 Flask 框架
快速部署 Koa 框架
快速部署 Laravel 框架
快速部署 Nestjs 框架
快速部署 Nextjs 框架
快速部署 Nuxtjs 框架
快速部署 Django 框架
实践教程
最佳实践概述
云产品联合解决方案
业务开发相关实践
实时音视频 TRTC
对象存储 COS
消息队列 CKafka
日志服务CLS
负载均衡 CLB
视频处理 MPS
内容分发网络 CDN
云数据仓库 PostgreSQL
云点播 VOD
短信 SMS
Elasticsearch Service
定时任务
视频处理
客户案例
腾讯在线教育
在线教育行业案例
游戏聊天系统
腾讯互娱国际(IEGG)
API 文档
History
Introduction
API Category
Making API Requests
Other APIs
Namespace APIs
Layer Management APIs
Async Event Management APIs
Trigger APIs
Function APIs
函数和层的状态说明
Data Types
Error Codes
SDK文档
常见问题
通用问题
Web 函数相关问题
计费相关问题
网络相关问题
日志相关问题
SCF 工具相关问题
事件处理相关问题
API 网关触发器相关问题
相关协议
Service Level Agreement
联系我们
词汇表
文档云函数操作指南函数 URL函数 URL 认证鉴权配置

函数 URL 认证鉴权配置

PDF
聚焦模式
字号
最后更新时间: 2025-05-09 10:01:35

简介

您可以通过配置认证鉴权策略来控制对函数 URL 的访问。
在配置函数 URL 时,必须指定以下认证选项之一:
CAM 鉴权:需要对函数 CAM 鉴权验证,用户可以基于函数 InvokeFunctionUrl 接口进行资源管理和使用权限配置。您可以通过配置 InvokeFunctionUrl 策略权限来开放或限制接口的访问。
开放:不需要对函数请求进行身份验证,支持匿名访问,任何人都可以发起 HTTP 请求调用您的函数。

配置 InvokeFunctionUrl 策略权限

您可以参考以下步骤配置 InvokeFunctionUrl 策略权限来开放或限制接口的访问。
1. 在访问管理控制台的 策略 页面,单击左上角的新建自定义策略
2. 在弹出的选择创建方式窗口中,单击按策略生成器创建,进入编辑策略页面。
3. 可视化策略生成器中添加服务与操作栏,补充以下信息,编辑一个授权声明。
效果(必选):选择允许
服务(必选):选择云函数 (scf)。
操作(必选):单击全部操作 (scf:*)右侧的展开,搜索 InvokeFunctionUrl,并勾选。如下图所示:



资源(必填):选择全部资源或您要授权的特定资源。
条件(选填):设置上述授权的生效条件。
4. 完成策略授权声明编辑后,单击下一步,进入基本信息和关联用户/用户组/角色页面。
5. 在关联用户/用户组/角色页面,补充策略名称和描述信息,可同时关联用户/用户组/角色快速授权。
6. 单击完成,完成按策略生成器创建自定义策略的操作。

签名生成和认证流程

客户端生成签名

签名算法请参见 安全凭证服务签名方法。代码示例如下:
Java
Go
NodeJS
Python
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.TimeZone;
import java.util.TreeMap;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;

public class TencentCloudAPITC3Demo {
    private final static Charset UTF8 = StandardCharsets.UTF_8;
    // 需要设置环境变量 TENCENTCLOUD_SECRET_ID,值为示例的 AKID***************
    private final static String SECRET_ID = System.getenv("TENCENTCLOUD_SECRET_ID");
    // 需要设置环境变量 TENCENTCLOUD_SECRET_KEY,值为示例的 Gu5t9xGARNpq86cd98joQYCN3*******
    private final static String SECRET_KEY = System.getenv("TENCENTCLOUD_SECRET_KEY");
    private final static String CT_JSON = "application/json";

    public static byte[] hmac256(byte[] key, String msg) throws Exception {
        Mac mac = Mac.getInstance("HmacSHA256");
        SecretKeySpec secretKeySpec = new SecretKeySpec(key, mac.getAlgorithm());
        mac.init(secretKeySpec);
        return mac.doFinal(msg.getBytes(UTF8));
    }

    public static String sha256Hex(String s) throws Exception {
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        byte[] d = md.digest(s.getBytes(UTF8));
        return DatatypeConverter.printHexBinary(d).toLowerCase();
    }

    public static void main(String[] args) throws Exception {
        String service = "scf";
        String host = "1253970226-xxxxxxx-cq.scf.tencentcs.com";
        String uin = "xxxxxx";//此处替换为需要使用的真实uin
        String algorithm = "TC3-HMAC-SHA256";
        String timestamp = String.valueOf(System.currentTimeMillis() / 1000);
        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
        // 注意时区,否则容易出错
        sdf.setTimeZone(TimeZone.getTimeZone("UTC"));
        String date = sdf.format(new Date(Long.valueOf(timestamp + "000")));

        // ************* 步骤 1:拼接规范请求串 *************
        String httpRequestMethod = "POST";
        String canonicalUri = "/";
        String canonicalQueryString = "";
        String canonicalHeaders = "content-type:application/json; charset=utf-8\\n"
                + "host:" + host + "\\n" ;
        String signedHeaders = "content-type;host";

        // 请求体
        String payload = "{\\"Limit\\": 1, \\"Filters\\": [{\\"Values\\": [\\"\\\\u672a\\\\u547d\\\\u540d\\"], \\"Name\\": \\"instance-name\\"}]}";
        String hashedRequestPayload = sha256Hex(payload);
        String canonicalRequest = httpRequestMethod + "\\n" + canonicalUri + "\\n" + canonicalQueryString + "\\n"
                + canonicalHeaders + "\\n" + signedHeaders + "\\n" + hashedRequestPayload;
        System.out.println(canonicalRequest);

        // ************* 步骤 2:拼接待签名字符串 *************
        String credentialScope = date + "/" + service + "/" + "tc3_request";
        String hashedCanonicalRequest = sha256Hex(canonicalRequest);
        String stringToSign = algorithm + "\\n" + timestamp + "\\n" + credentialScope + "\\n" + hashedCanonicalRequest;
        System.out.println(stringToSign);

        // ************* 步骤 3:计算签名 *************
        byte[] secretDate = hmac256(("TC3" + SECRET_KEY).getBytes(UTF8), date);
        byte[] secretService = hmac256(secretDate, service);
        byte[] secretSigning = hmac256(secretService, "tc3_request");
        String signature = DatatypeConverter.printHexBinary(hmac256(secretSigning, stringToSign)).toLowerCase();
        System.out.println(signature);

        // ************* 步骤 4:拼接 Authorization *************
        String authorization = algorithm + " " + "Credential=" + SECRET_ID + "/" + credentialScope + ", "
                + "SignedHeaders=" + signedHeaders + ", " + "Signature=" + signature;
        System.out.println(authorization);


        StringBuilder sb = new StringBuilder();
        sb.append("curl -X POST https://").append(host+canonicalUri)
        .append(" -H \\"Authorization: ").append(authorization).append("\\"")
        .append(" -H \\"Content-Type: application/json; charset=utf-8\\"")
        .append(" -H \\"Host: ").append(host).append("\\"")
        .append(" -H \\"X-Scf-Cam-Uin: ").append(uin).append("\\"")
        .append(" -H \\"X-Scf-Cam-Timestamp: ").append(timestamp).append("\\"")
        .append(" -d '").append(payload).append("'");
        System.out.println(sb.toString());
    }
}
package main

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
	"fmt"
	"os"
	"time"
)

func sha256hex(s string) string {
	b := sha256.Sum256([]byte(s))
	return hex.EncodeToString(b[:])
}

func hmacsha256(s, key string) string {
	hashed := hmac.New(sha256.New, []byte(key))
	hashed.Write([]byte(s))
	return string(hashed.Sum(nil))
}

func main() {
	// 需要填写账户UIN
	uin := "xxxx"
	// 需要设置环境变量 TENCENTCLOUD_SECRET_ID,值为示例的 AKID***************
	secretId := os.Getenv("TENCENTCLOUD_SECRET_ID")
	// 需要设置环境变量 TENCENTCLOUD_SECRET_KEY,值为示例的 Gu5t9xGARNpq86cd98joQYCN3*******
	secretKey := os.Getenv("TENCENTCLOUD_SECRET_KEY")
	host := "1253970226-xxxxxxx-cq.scf.tencentcs.com"

	algorithm := "TC3-HMAC-SHA256"
	service := "scf"
	var timestamp int64 = time.Now().Unix()

	// step 1: build canonical request string
	httpRequestMethod := "POST"
	canonicalURI := "/"
	canonicalQueryString := ""
	canonicalHeaders := fmt.Sprintf("content-type:%s\\nhost:%s\\n",
		"application/json", host)
	signedHeaders := "content-type;host"
	payload := `{"Limit": 1, "Filters": [{"Values": ["\\u672a\\u547d\\u540d"], "Name": "instance-name"}]}`
	hashedRequestPayload := sha256hex(payload)
	canonicalRequest := fmt.Sprintf("%s\\n%s\\n%s\\n%s\\n%s\\n%s",
		httpRequestMethod,
		canonicalURI,
		canonicalQueryString,
		canonicalHeaders,
		signedHeaders,
		hashedRequestPayload)
	fmt.Println("canonicalRequest => ", canonicalRequest)

	// step 2: build string to sign
	date := time.Unix(timestamp, 0).UTC().Format("2006-01-02")
	credentialScope := fmt.Sprintf("%s/%s/tc3_request", date, service)
	hashedCanonicalRequest := sha256hex(canonicalRequest)
	string2sign := fmt.Sprintf("%s\\n%d\\n%s\\n%s",
		algorithm,
		timestamp,
		credentialScope,
		hashedCanonicalRequest)
	fmt.Println("string2sign ==>", string2sign)

	// step 3: sign string
	secretDate := hmacsha256(date, "TC3"+secretKey)
	secretService := hmacsha256(service, secretDate)
	secretSigning := hmacsha256("tc3_request", secretService)
	signature := hex.EncodeToString([]byte(hmacsha256(string2sign, secretSigning)))
	fmt.Println(signature)

	// step 4: build authorization
	authorization := fmt.Sprintf("%s Credential=%s/%s, SignedHeaders=%s, Signature=%s",
		algorithm,
		secretId,
		credentialScope,
		signedHeaders,
		signature)
	fmt.Println(authorization)

	curl := fmt.Sprintf(`curl -X %s https://%s -H "Authorization: %s" -H "Content-Type: application/json" -H "Host: %s"  -H "X-Scf-Cam-Uin: %s" -H "X-Scf-Cam-Timestamp: %d" -d '%s'`,
		httpRequestMethod, host, authorization, host, uin, timestamp, payload)
	fmt.Println(curl)
}
const crypto = require('crypto');

function sha256(message, secret = '', encoding) {
    const hmac = crypto.createHmac('sha256', secret)
    return hmac.update(message).digest(encoding)
}

function getHash(message, encoding = 'hex') {
    const hash = crypto.createHash('sha256')
    return hash.update(message).digest(encoding)
}

function getDate(timestamp) {
    const date = new Date(timestamp * 1000)
    const year = date.getUTCFullYear()
    const month = ('0' + (date.getUTCMonth() + 1)).slice(-2)
    const day = ('0' + date.getUTCDate()).slice(-2)
    return `${year}-${month}-${day}`
}

function main(){
    // 密钥参数
    // 需要设置环境变量 TENCENTCLOUD_SECRET_ID,值为示例的 AKID***************
    const SECRET_ID = process.env.TENCENTCLOUD_SECRET_ID
    // 需要设置环境变量 TENCENTCLOUD_SECRET_KEY,值为示例的 Gu5t9xGARNpq86cd98joQYCN3*******
    const SECRET_KEY = process.env.TENCENTCLOUD_SECRET_KEY

    const endpoint = "1253970226-xxxxxxx-cq.scf.tencentcs.com"
    const service = "scf"
    const timestamp = getTime()
    //时间处理, 获取世界时间日期
    const date = getDate(timestamp)

    // ************* 步骤 1:拼接规范请求串 *************
    const payload = "{\\"Limit\\": 1, \\"Filters\\": [{\\"Values\\": [\\"\\\\u672a\\\\u547d\\\\u540d\\"], \\"Name\\": \\"instance-name\\"}]}"

    const hashedRequestPayload = getHash(payload);
    const httpRequestMethod = "POST"
    const canonicalUri = "/"
    const canonicalQueryString = ""
    const canonicalHeaders = "content-type:application/json\\n"
        + "host:" + endpoint + "\\n"
    const signedHeaders = "content-type;host"

    const canonicalRequest = httpRequestMethod + "\\n"
                         + canonicalUri + "\\n"
                         + canonicalQueryString + "\\n"
                         + canonicalHeaders + "\\n"
                         + signedHeaders + "\\n"
                         + hashedRequestPayload
    console.log(canonicalRequest)

    // ************* 步骤 2:拼接待签名字符串 *************
    const algorithm = "TC3-HMAC-SHA256"
    const hashedCanonicalRequest = getHash(canonicalRequest);
    const credentialScope = date + "/" + service + "/" + "tc3_request"
    const stringToSign = algorithm + "\\n" +
                    timestamp + "\\n" +
                    credentialScope + "\\n" +
                    hashedCanonicalRequest
    console.log(stringToSign)

    // ************* 步骤 3:计算签名 *************
    const kDate = sha256(date, 'TC3' + SECRET_KEY)
    const kService = sha256(service, kDate)
    const kSigning = sha256('tc3_request', kService)
    const signature = sha256(stringToSign, kSigning, 'hex')
    console.log(signature)

    // ************* 步骤 4:拼接 Authorization *************
    const authorization = algorithm + " " +
                    "Credential=" + SECRET_ID + "/" + credentialScope + ", " +
                    "SignedHeaders=" + signedHeaders + ", " +
                    "Signature=" + signature
    console.log(authorization)

    const curlcmd = 'curl -X POST ' + "https://" + endpoint
                           + ' -H "Authorization: ' + authorization + '"'
                           + ' -H "Content-Type: application/json"'
                           + ' -H "Host: ' + endpoint + '"'
                           + ' -H "X-Scf-Cam-Uin: ' + uin + '"'
                           + ' -H "X-Scf-Cam-Timestamp: ' + timestamp.toString() + '"'
                           + " -d '" + payload + "'"
    console.log(curlcmd)
}
main()
# -*- coding: utf-8 -*-
import hashlib, hmac, json, os, sys, time
from datetime import datetime

# 密钥参数
# 需要设置环境变量 TENCENTCLOUD_SECRET_ID,值为示例的 AKID**************
secret_id = os.environ.get("TENCENTCLOUD_SECRET_ID")
# 需要设置环境变量 TENCENTCLOUD_SECRET_KEY,值为示例的 Gu5t9xGARNpq86cd98joQYCN3*******
secret_key = os.environ.get("TENCENTCLOUD_SECRET_KEY")

service = "scf"
host = "1253970226-xxxxxxx-cq.scf.tencentcs.com"
endpoint = "https://" + host
algorithm = "TC3-HMAC-SHA256"
timestamp = int(time.time())
date = datetime.utcfromtimestamp(timestamp).strftime("%Y-%m-%d")
params = {"Limit": 1, "Filters": [{"Values": [u"未命名"], "Name": "instance-name"}]}

# ************* 步骤 1:拼接规范请求串 *************
http_request_method = "POST"
canonical_uri = "/"
canonical_querystring = ""
ct = "application/json"
payload = json.dumps(params)
canonical_headers = "content-type:%s\\nhost:%s\\n" % (ct, host)
signed_headers = "content-type;host"
hashed_request_payload = hashlib.sha256(payload.encode("utf-8")).hexdigest()
canonical_request = (http_request_method + "\\n" +
                     canonical_uri + "\\n" +
                     canonical_querystring + "\\n" +
                     canonical_headers + "\\n" +
                     signed_headers + "\\n" +
                     hashed_request_payload)
print(canonical_request)

# ************* 步骤 2:拼接待签名字符串 *************
credential_scope = date + "/" + service + "/" + "tc3_request"
hashed_canonical_request = hashlib.sha256(canonical_request.encode("utf-8")).hexdigest()
string_to_sign = (algorithm + "\\n" +
                  str(timestamp) + "\\n" +
                  credential_scope + "\\n" +
                  hashed_canonical_request)
print(string_to_sign)


# ************* 步骤 3:计算签名 *************
# 计算签名摘要函数
def sign(key, msg):
    return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
secret_date = sign(("TC3" + secret_key).encode("utf-8"), date)
secret_service = sign(secret_date, service)
secret_signing = sign(secret_service, "tc3_request")
signature = hmac.new(secret_signing, string_to_sign.encode("utf-8"), hashlib.sha256).hexdigest()
print(signature)

# ************* 步骤 4:拼接 Authorization *************
authorization = (algorithm + " " +
                 "Credential=" + secret_id + "/" + credential_scope + ", " +
                 "SignedHeaders=" + signed_headers + ", " +
                 "Signature=" + signature)
print(authorization)

print('curl -X POST ' + endpoint
      + ' -H "Authorization: ' + authorization + '"'
      + ' -H "Content-Type: application/json"'
      + ' -H "Host: ' + host + '"'
      + ' -H "X-Scf-Cam-Uin: ' + uin + '"'
      + ' -H "X-Scf-Cam-Timestamp: ' + str(timestamp) + '"'
      + " -d '" + payload + "'")
algorithm := "TC3-HMAC-SHA256"
service := "scf"
var timestamp int64 = time.Now().Unix()

// step 1: build canonical request string
httpRequestMethod := "POST"
canonicalURI := "/"
canonicalQueryString := ""
canonicalHeaders := fmt.Sprintf("content-type:%s\\nhost:%s\\n",
    "application/json", host)
signedHeaders := "content-type;host"
payload := `{"Limit": 1, "Filters": [{"Values": ["\\u672a\\u547d\\u540d"], "Name": "instance-name"}]}`
hashedRequestPayload := sha256hex(payload)
canonicalRequest := fmt.Sprintf("%s\\n%s\\n%s\\n%s\\n%s\\n%s",
    httpRequestMethod,
    canonicalURI,
    canonicalQueryString,
    canonicalHeaders,
    signedHeaders,
    hashedRequestPayload)
fmt.Println("canonicalRequest => ", canonicalRequest)

// step 2: build string to sign
date := time.Unix(timestamp, 0).UTC().Format("2006-01-02")
credentialScope := fmt.Sprintf("%s/%s/tc3_request", date, service)
hashedCanonicalRequest := sha256hex(canonicalRequest)
string2sign := fmt.Sprintf("%s\\n%d\\n%s\\n%s",
    algorithm,
    timestamp,
    credentialScope,
    hashedCanonicalRequest)
fmt.Println("string2sign ==>", string2sign)

// step 3: sign string
secretDate := hmacsha256(date, "TC3"+secretKey)
secretService := hmacsha256(service, secretDate)
secretSigning := hmacsha256("tc3_request", secretService)
signature := hex.EncodeToString([]byte(hmacsha256(string2sign, secretSigning)))
fmt.Println(signature)

// step 4: build authorization
authorization := fmt.Sprintf("%s Credential=%s/%s, SignedHeaders=%s, Signature=%s",
    algorithm,
    secretId,
    credentialScope,
    signedHeaders,
    signature)
fmt.Println(authorization)

curl := fmt.Sprintf(`curl -X %s https://%s -H "Authorization: %s" -H "Content-Type: application/json" -H "Host: %s"  -H "X-Scf-Cam-Uin: %s" -H "X-Scf-Cam-Timestamp: %d" -d '%s'`,
    httpRequestMethod, host, authorization, host, uin, timestamp, payload)
fmt.Println(curl)

客户端调用参数

在 URL 请求的 Header 中需要添加以下参数:
参数
描述
Authorization
签名相关参数,必传。示例:
TC3-HMAC-SHA256 Credential=AKID****************/2019-02-25/scf/tc3_request, SignedHeaders=content-type;host;xxx, Signature=be4f67d323c78ab9acb7395e43c0dbcf822a9cfac32fea2449a7bc7726b770a3
X-Scf-Cam-Timestamp
生成签名所使用的时间戳,必传。
X-Scf-Cam-Uin
主账户 Uin,必传。
X-Scf-Cam-Token
如果使用临时密钥生成签名,需要传入 token 信息。

服务器端验证签名

服务端调用 CAM 服务的签名和鉴权,请参见 访问管理

上一篇: 创建函数 URL下一篇: 配置自定义域名

帮助和支持

本页内容是否解决了您的问题?

填写满意度调查问卷,共创更好文档体验。

文档反馈