[英]Accessing a Cloud Run service from another project
Can I access the CloudRun api from a different project using a ServiceAccount from that project ? 我可以使用该项目的ServiceAccount从其他项目访问CloudRun api吗?
I have a Project A, in which a CloudRun service (ServiceA) is hosted. 我有一个项目A,其中托管了CloudRun服务(ServiceA)。 I have another Project B, from which I need to call ServiceA using a service account (SvcAcccountB).
我有另一个项目B,需要使用服务帐户(SvcAcccountB)从中调用ServiceA。
But every time I try to make the call to ServiceA using SvcAccountB it fails with a 403. There is no firewall issue as I can see in the logs for ServiceA that call is getting rejected. 但是每次我尝试使用SvcAccountB调用ServiceA时,都会失败并显示403。没有防火墙问题,因为在ServiceA日志中可以看到该呼叫被拒绝。 I have given the "CloudRun Invoker" permissions to SvcAccountB.
我已为SvcAccountB授予了“ CloudRun Invoker”权限。
If I have service account (svcAccountA) in Project A, then the call to ServiceA works fine. 如果我在项目A中有服务帐户(svcAccountA),则对ServiceA的调用工作正常。
What else am I missing so that svcAccountB can call ServiceA? 我还缺少什么以便svcAccountB可以调用ServiceA?
There are 3 steps you need to post to CloudRun Service using a service account:- 您需要使用服务帐户将以下三个步骤发布到CloudRun服务:-
Get a JWT Token using your service account json file Here's a sample Claims:- Iat: now, // expires after 'expiraryLength' seconds. Exp: now + expiryLength, // Iss must match 'issuer' in the security configuration in your // swagger spec (eg service account email). It can be any string. Iss: saEmail, // Aud must be either your Endpoints service name, or match the value // specified as the 'x-google-audience' in the OpenAPI document. Aud: "https://www.googleapis.com/oauth2/v4/token", // Sub and Email should match the service account's email address. Sub: saEmail, PrivateClaims: map[string]interface{}{"target_audience": audience},
使用您的服务帐户json文件获取JWT令牌这是一个示例声明:
Iat: now, // expires after 'expiraryLength' seconds. Exp: now + expiryLength, // Iss must match 'issuer' in the security configuration in your // swagger spec (eg service account email). It can be any string. Iss: saEmail, // Aud must be either your Endpoints service name, or match the value // specified as the 'x-google-audience' in the OpenAPI document. Aud: "https://www.googleapis.com/oauth2/v4/token", // Sub and Email should match the service account's email address. Sub: saEmail, PrivateClaims: map[string]interface{}{"target_audience": audience},
Iat: now, // expires after 'expiraryLength' seconds. Exp: now + expiryLength, // Iss must match 'issuer' in the security configuration in your // swagger spec (eg service account email). It can be any string. Iss: saEmail, // Aud must be either your Endpoints service name, or match the value // specified as the 'x-google-audience' in the OpenAPI document. Aud: "https://www.googleapis.com/oauth2/v4/token", // Sub and Email should match the service account's email address. Sub: saEmail, PrivateClaims: map[string]interface{}{"target_audience": audience},
Iat: now, // expires after 'expiraryLength' seconds. Exp: now + expiryLength, // Iss must match 'issuer' in the security configuration in your // swagger spec (eg service account email). It can be any string. Iss: saEmail, // Aud must be either your Endpoints service name, or match the value // specified as the 'x-google-audience' in the OpenAPI document. Aud: "https://www.googleapis.com/oauth2/v4/token", // Sub and Email should match the service account's email address. Sub: saEmail, PrivateClaims: map[string]interface{}{"target_audience": audience},
where the audience is the url of your CloudRun service. Iat: now, // expires after 'expiraryLength' seconds. Exp: now + expiryLength, // Iss must match 'issuer' in the security configuration in your // swagger spec (eg service account email). It can be any string. Iss: saEmail, // Aud must be either your Endpoints service name, or match the value // specified as the 'x-google-audience' in the OpenAPI document. Aud: "https://www.googleapis.com/oauth2/v4/token", // Sub and Email should match the service account's email address. Sub: saEmail, PrivateClaims: map[string]interface{}{"target_audience": audience},
其中听众是您的CloudRun服务的URL。
Pass this JWT token to get the Access token Here's more details : https://developers.google.com/identity/protocols/OAuth2ServiceAccount 传递此JWT令牌以获取访问令牌。这里有更多详细信息: https : //developers.google.com/identity/protocols/OAuth2ServiceAccount
Then send the Access token to your CloudRun service. 然后将访问令牌发送到您的CloudRun服务。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.