堆栈内存溢出
  简体   繁体   English

从另一个项目访问Cloud Run服务

[英]Accessing a Cloud Run service from another project

 原文  2019-08-19 16:10:26       google-cloud-platform/ google-cloud-run

问题描述

Can I access the CloudRun api from a different project using a ServiceAccount from that project ? 我可以使用该项目的ServiceAccount从其他项目访问CloudRun api吗?

I have a Project A, in which a CloudRun service (ServiceA) is hosted. 我有一个项目A,其中托管了CloudRun服务(ServiceA)。 I have another Project B, from which I need to call ServiceA using a service account (SvcAcccountB). 我有另一个项目B,需要使用服务帐户(SvcAcccountB)从中调用ServiceA。

But every time I try to make the call to ServiceA using SvcAccountB it fails with a 403. There is no firewall issue as I can see in the logs for ServiceA that call is getting rejected. 但是每次我尝试使用SvcAccountB调用ServiceA时,都会失败并显示403。没有防火墙问题,因为在ServiceA日志中可以看到该呼叫被拒绝。 I have given the "CloudRun Invoker" permissions to SvcAccountB. 我已为SvcAccountB授予了“ CloudRun Invoker”权限。

If I have service account (svcAccountA) in Project A, then the call to ServiceA works fine. 如果我在项目A中有服务帐户(svcAccountA),则对ServiceA的调用工作正常。

What else am I missing so that svcAccountB can call ServiceA? 我还缺少什么以便svcAccountB可以调用ServiceA?

1 个解决方案

解决方案1
 0  2019-08-22 18:06:02

There are 3 steps you need to post to CloudRun Service using a service account:- 您需要使用服务帐户将以下三个步骤发布到CloudRun服务:-

  1. Get a JWT Token using your service account json file Here's a sample Claims:- Iat: now, // expires after 'expiraryLength' seconds. Exp: now + expiryLength, // Iss must match 'issuer' in the security configuration in your // swagger spec (eg service account email). It can be any string. Iss: saEmail, // Aud must be either your Endpoints service name, or match the value // specified as the 'x-google-audience' in the OpenAPI document. Aud: "https://www.googleapis.com/oauth2/v4/token", // Sub and Email should match the service account's email address. Sub: saEmail, PrivateClaims: map[string]interface{}{"target_audience": audience}, 使用您的服务帐户json文件获取JWT令牌这是一个示例声明: Iat: now, // expires after 'expiraryLength' seconds. Exp: now + expiryLength, // Iss must match 'issuer' in the security configuration in your // swagger spec (eg service account email). It can be any string. Iss: saEmail, // Aud must be either your Endpoints service name, or match the value // specified as the 'x-google-audience' in the OpenAPI document. Aud: "https://www.googleapis.com/oauth2/v4/token", // Sub and Email should match the service account's email address. Sub: saEmail, PrivateClaims: map[string]interface{}{"target_audience": audience}, Iat: now, // expires after 'expiraryLength' seconds. Exp: now + expiryLength, // Iss must match 'issuer' in the security configuration in your // swagger spec (eg service account email). It can be any string. Iss: saEmail, // Aud must be either your Endpoints service name, or match the value // specified as the 'x-google-audience' in the OpenAPI document. Aud: "https://www.googleapis.com/oauth2/v4/token", // Sub and Email should match the service account's email address. Sub: saEmail, PrivateClaims: map[string]interface{}{"target_audience": audience}, Iat: now, // expires after 'expiraryLength' seconds. Exp: now + expiryLength, // Iss must match 'issuer' in the security configuration in your // swagger spec (eg service account email). It can be any string. Iss: saEmail, // Aud must be either your Endpoints service name, or match the value // specified as the 'x-google-audience' in the OpenAPI document. Aud: "https://www.googleapis.com/oauth2/v4/token", // Sub and Email should match the service account's email address. Sub: saEmail, PrivateClaims: map[string]interface{}{"target_audience": audience}, where the audience is the url of your CloudRun service. Iat: now, // expires after 'expiraryLength' seconds. Exp: now + expiryLength, // Iss must match 'issuer' in the security configuration in your // swagger spec (eg service account email). It can be any string. Iss: saEmail, // Aud must be either your Endpoints service name, or match the value // specified as the 'x-google-audience' in the OpenAPI document. Aud: "https://www.googleapis.com/oauth2/v4/token", // Sub and Email should match the service account's email address. Sub: saEmail, PrivateClaims: map[string]interface{}{"target_audience": audience},其中听众是您的CloudRun服务的URL。

  2. Pass this JWT token to get the Access token Here's more details : https://developers.google.com/identity/protocols/OAuth2ServiceAccount 传递此JWT令牌以获取访问令牌。这里有更多详细信息: https : //developers.google.com/identity/protocols/OAuth2ServiceAccount

  3. Then send the Access token to your CloudRun service. 然后将访问令牌发送到您的CloudRun服务。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 从另一个 GCP 项目访问 Cloud SQL - Accessing Cloud SQL from another GCP project 在 Google Cloud Run 或 Cloud Run on GKE 上从另一个容器创建服务或容器 - Create service or container from another container, on Google Cloud Run or Cloud Run on GKE 从另一个云运行访问一个云运行 - Access a cloud run from another cloud run 从 Cloud Run on Google Cloud 访问 Cloud SQL - Accessing Cloud SQL from Cloud Run on Google Cloud 云运行服务到来自同一项目内的服务请求仍被 Ingress=Internal 阻止 - Cloud run service to service requests from within same project still being blocked by Ingress=Internal 限制对 AppEngine 的访问,以便只有来自另一个 Google Cloud 项目的另一个 AppEngine 服务可以访问它 - Restrict access to AppEngine so that only another AppEngine service from another Google Cloud Project can access it 从在云运行中运行的管道访问云存储 - Accessing cloud storage from within plumbeR running in cloud run 在 Cloud Run 实例中从 Cloud Storage 访问和使用 csv 文件 - Accessing and using csv file from Cloud Storage in Cloud Run instance 是否可以将另一个 GCP 项目的服务帐户附加到 GCP 云功能? - Is it possible to attach a Service account from another GCP project to a GCP Cloud Function? GCP - Cloud Run:“错误:禁止用户访问存储桶” - GCP - Cloud Run : "Error: The user is forbidden from accessing the bucket"
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM