我应该如何创建服务帐户以使用 Google KMS 在 GCP 项目之间访问机密？

Question

I've followed this tutorial: https://cloud.google.com/kms/docs/store-secrets

My next step was to have my apps read my secrets file from the storage bucket and decrypt safely at runtime. These apps run within various projects (staging, dev, production etc).

I've read the service account documentation over and over but can't quite understand the correct way forward.

What I found that worked was to simply add service accounts to MY_KMS_PROJECT and MY_STORAGE_PROJECT from the tutorial. I set them up to have access to read storage buckets and to decrypt KMS keys. Just by creating those service accounts, suddenly apps in other projects could read and decrypt. Is that how it's supposed to work?

I thought that I would have had to create a service account for each project that I want to have accessing the KMS projects from the tutorial? Or use IAM somehow to grant access? For example, how would I grant access to some apps within some projects and not others?

I'm attempting to now give access to apps when they are running in my local dev environment, which usually requires downloading a service account and pointing GOOGLE_APPLICATION_CREDENTIALS to the file. But it seems strange to me to download the service accounts from the MY_KMS_PROJECT or MY_STORAGE_PROJECT, especially since I already have a service account for accessing firebase. Are service accounts somehow global to all projects? Can they be combined? GOOGLE_APPLICATION_CREDENTIALS seems only good for pointing at a single service account.

Note: most of my apps are running on google app engine standard or flexible.

Here is the code from the apps within my projects that "just work" as described above:

client, err := google.DefaultClient(ctx, cloudkms.CloudPlatformScope)
if err != nil {
    log.Fatal(err)
}

// Create the KMS client.
kmsService, err := cloudkms.New(client)
if err != nil {
    log.Fatal(err)
}
....

And for accessing the bucket:

// Create the storage clientstorage
Client, err := storage.NewClient(ctx)
if err != nil {
    log.Fatal(err)
}
....

Answer 1

For your first question: This could be happening due to the fact that those applications use the same services accounts that you created for the respective projects. In this case you would need to ensure that those applications do not use the aforementioned service accounts.

For your second question: You might try to use one service account at organization level. These service accounts would be inherited by all the projects in the organization. You can grant the service account those roles or permissions that meet your requirements

For your third question: They are “Global” to all projects in case you use organization-level service accounts: you can take a look at this documentation where you might find valuable information about service accounts and organization

Please let me know your thoughts and how it goes.

Answer 2

This is what I discovered works. Until I hear that it's not correct or ideal, it's how I'm moving forward:

1. Follow the "storing secrets" tutorial ( https://cloud.google.com/kms/docs/store-secrets ).

Note that when creating the two accounts from the tutorial, there will be no service accounts automatically created since there is no compute or app engine instances by default.

2. Go to IAM for the kms storage project and add any other projects with apps that you want to have access to download the encrypted secrets. Add them by their service account emails, with the role for viewing buckets.

3. Go to IAM for the kms management project and do the same for any projects with apps that you want to be decrypting the shared secrets, via their service account emails.

For Localhost development, use "gcloud auth application-default login" before starting your services.