[英]how can I get my gcloud user creds into a container securely and use them to impersonate a service account when testing locally?
Starting with this:从此开始:
gcloud config set auth/impersonate_service_account [SA_FULL_EMAIL]
and it can be run with the same creds as what will run in the dev environment- without them having to download any keysgcloud config set auth/impersonate_service_account [SA_FULL_EMAIL]
并且它可以使用与在开发环境中运行的相同的凭据运行 - 无需下载任何密钥Now that works.现在可以了。 BUT I also want to make it possible to run the applications locally in containers too.
但我也希望能够在容器中本地运行应用程序。 Using docker/docker-compose/minikube/etc how can I make it possible to impersonate a service account?
使用 docker/docker-compose/minikube/etc 如何使模拟服务帐户成为可能?
the container would need access to the gcloud creds and it would need to set impersonation in the session too before the app starts somehow.在应用程序以某种方式启动之前,容器需要访问gcloud 凭据,并且还需要在 session 中设置模拟。 This must not be done in code- the app should just use the APIs as normal without having to do anything differently.
这不能在代码中完成——应用程序应该像往常一样使用 API,而不必做任何不同的事情。
EDIT: when applications run in dev or prod GCP accounts/projects they run in the context of a service account that has correctly scoped permissions for that specific application.编辑:当应用程序在 dev 或 prod GCP 帐户/项目中运行时,它们在具有该特定应用程序正确范围权限的服务帐户的上下文中运行。 Developer's own user accounts have broad permissions to the dev environment.
开发人员自己的用户帐户对开发环境具有广泛的权限。 When running locally its useful to run with the same service account that application runs with in the dev environment instead of the developer's own user account
在本地运行时,使用与在开发环境中运行应用程序相同的服务帐户而不是开发人员自己的用户帐户运行很有用
The correct way to achieve this is the Secret Manager that is supplied by Google Cloud.实现此目的的正确方法是 Google Cloud 提供的 Secret Manager。
def access_secret_version(secret_id): """ Access the payload for the given secret version if one exists. The version can be a version number as a string (eg "5") or an alias (eg "latest"). """ project_id = PROJECT_ID version_id = 1 # Import the Secret Manager client library. from google.cloud import secretmanager_v1beta1 as secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() # Build the resource name of the secret version. name = client.secret_version_path(project_id, secret_id, version_id) # Access the secret version. response = client.access_secret_version(name) # Print the secret payload. # # WARNING: Do not print the secret in a production environment - this # snippet is showing how to access the secret material. payload = response.payload.data.decode('UTF-8') # logging.info('Plaintext: {}'.format(payload)) logging.info('Secret accessed for:' + secret_id) return payload
This what I wanted这就是我想要的
GSA_TOKEN=$(gcloud auth print-access-token --impersonate-service-account mygsa)
docker run --env GOOGLE_APPLICATION_CREDENTIALS=$GSA_TOKEN my-image
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.