将 Google Cloud Platform 服务帐户的访问权限限制为特定的 Gmail 帐户
[英]Limiting the access to Google Cloud Platform Service Account to specific Gmail Accounts
问题描述
I have recently made a program that listens to a PUB/SUB topic that is connected to a Gmail account.
我最近制作了一个程序,它可以监听连接到 Gmail 帐户的 PUB/SUB 主题。 I have it all working fine.我一切正常。 When a push notification arrives it will do different tasks based on the message content.当推送通知到达时,它将根据消息内容执行不同的任务。
The problem is that I use a Service Account to connect to all the API's on Google Cloud Platform that I need.问题是我使用服务帐户连接到我需要的 Google Cloud Platform 上的所有 API。 The Service Account allows access to ALL of our Gmail accounts in our organization.服务帐户允许访问我们组织中的所有 Gmail 帐户。 I need to somehow limit the access to a specific Gmail account.我需要以某种方式限制对特定 Gmail 帐户的访问。
The closest I could find to this issue was this question Impersonating list of users with Google Service Account .我能找到的最接近这个问题的是这个问题Impersonating list of users with Google Service Account 。 However, the only solution presented there was to turn my project into a marketplace app which I do not want to do.但是,那里提出的唯一解决方案是将我的项目变成我不想做的市场应用程序。
I have tried setting up an Organizational Unit and trying to limit the scope to that somehow, but there seems to be know way (that I can find) to do it.我曾尝试建立一个组织单位并试图以某种方式将范围限制在该范围内,但似乎有知道的方法(我可以找到)来做到这一点。 I did try speak with Google Cloud Platform help but they didn't know the answer as it didn't quite fall under their area of expertise and referred me on to another help group, but I'm not eligible for them because I don't pay for support.我确实尝试与 Google Cloud Platform 帮助交谈,但他们不知道答案,因为它不完全属于他们的专业领域,并将我推荐给另一个帮助小组,但我不符合他们的资格,因为我不知道为支持付费。
Edit: It doesn't actually appear that what I want to do is possible.编辑:实际上似乎我想做的事情是不可能的。 I'll be going back to an OAuth2 method of authentication.我将回到 OAuth2 身份验证方法。
1 个解决方案
解决方案1
0 已采纳 2020-01-10 06:50:26
Understanding service accounts explains the possibilities: 了解服务帐户解释了可能性:
Service accounts can be thought of as both a resource and as an identity.
When thinking of the service account as an identity, you can grant a role to a service account, allowing it to access a resource (such as a project).
When thinking of a service account as a resource, you can grant roles to other users to access or manage that service account.
Now try to fit that impracticable intent into there ...现在试着把那个不切实际的意图放进去......
If you need to limit the access of the service account to user-specific resources, this can only be done on the application level, not the system level - since a service account can impersonate just any user identity;如果您需要限制服务帐户对用户特定资源的访问,这只能在应用程序级别完成,而不是系统级别——因为服务帐户可以模拟任何用户身份; eg.例如。 in order not to mess up the ownership, when uploading files on behalf of a user.为了不弄乱所有权,在代表用户上传文件时。 If you want 1 user identity to access 1 user-specific resource, why even use a service account?如果您希望 1 个用户身份访问 1 个特定于用户的资源,为什么还要使用服务帐户? And when using a service account, why not just impersonate as the correct identity?在使用服务帐户时,为什么不冒充正确的身份? This could even be hard-coded, if it's only 1 user identity.这甚至可以是硬编码的,如果它只有 1 个用户身份。 But nevertheless, it can only be done on the application level - but cannot be configured for the service account itself.但是,它只能在应用程序级别上完成 - 但不能为服务帐户本身配置。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.