带有工作负载身份的 Google Cloud Java SDK?
[英]Google Cloud Java SDK with Workload Identity?
问题描述
Trying to figure out how to authenticate with the storage API from within a GKE cluster.
试图弄清楚如何从 GKE 集群内使用存储 API 进行身份验证。
Code:代码:
Storage storage = StorageOptions.newBuilder()
.setCredentials(ServiceAccountCredentials.getApplicationDefault())
.setProjectId(gcpProjectId)
.build().getService();
getApplicationDefault() is documented to use these means to authenticate with the API: getApplicationDefault()被记录为使用这些方法与 API 进行身份验证:
- Credentials file pointed to by the {@code GOOGLE_APPLICATION_CREDENTIALS} environment variable {@code GOOGLE_APPLICATION_CREDENTIALS} 环境变量指向的凭据文件
- Credentials provided by the Google Cloud SDK {@code gcloud auth application-default login} command Google Cloud SDK {@code gcloud auth application-default login} 命令提供的凭据
- Google App Engine built-in credentials Google App Engine 内置凭据
- Google Cloud Shell built-in credentials Google Cloud Shell 内置凭据
- Google Compute Engine built-in credentials Google Compute Engine 内置凭据
The application is using the GCP workload identity feature, so the application (in-cluster) service account is annotated with:应用程序使用 GCP 工作负载身份功能,因此应用程序(集群内)服务帐户注释为:
serviceAccount.annotations.iam.gke.io/gcp-service-account: my-service-account@my-project.iam.gserviceaccount.com
Now the call to the storage account fails with the following error:现在对存储帐户的调用失败并显示以下错误:
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Primary: /namespaces/my-project.svc.id.goog with additional claims does not have storage.objects.create access to the Google Cloud Storage object.",
"reason" : "forbidden"
} ],
"message" : "Primary: /namespaces/my-project.svc.id.goog with additional claims does not have storage.objects.create access to the Google Cloud Storage object."
}
This makes me think that the workload identity is not working correctly.这让我认为工作负载标识无法正常工作。 I am expecting to receive an error message for my annotated service account and not the default one.我希望收到关于我的带注释的服务帐户的错误消息,而不是默认的。
Is there anything else I should have been doing?还有什么我应该做的吗?
2 个解决方案
解决方案1
2 已采纳 2021-07-15 14:19:03
The answer, in part, aside from the annotation syntax, is that, just like me, you probably didn't look closely enough at this part in the documentation:除了注释语法之外,部分答案是,就像我一样,您可能没有仔细查看文档中的这一部分:
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]" \
GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
Notice the PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME] piece.注意PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]部分。 It's something they give no examples on as far as syntax but it looks like this in my terraform.就语法而言,他们没有给出任何示例,但在我的 terraform 中看起来像这样。
resource "google_project_iam_member" "app-binding-2" {
role = "roles/iam.workloadIdentityUser"
member = "serviceAccount:${local.ws_vars["project-id"]}.svc.id.goog[mynamespace/myk8ssaname]"
}
Weirdly, I didn't know you could bind an IAM policy to a k8s service account, even more weirdly you can bind this in the terraform even if the namespace doesn't exist, much less the service account.奇怪的是,我不知道您可以将 IAM 策略绑定到 k8s 服务帐户,更奇怪的是,即使命名空间不存在,您也可以在 terraform 中绑定它,更不用说服务帐户了。 So you can run this first before deployments.所以你可以在部署之前先运行它。
I truly wish Google would provide better documentation and support, this took me several hours to figure out.我真的希望谷歌能提供更好的文档和支持,这花了我几个小时才弄明白。
解决方案2
0 已采纳 2020-10-09 08:47:56
Trying to figure out how to authenticate with the storage API from within a GKE cluster.试图弄清楚如何从 GKE 集群内使用存储 API 进行身份验证。
Code:代码:
Storage storage = StorageOptions.newBuilder()
.setCredentials(ServiceAccountCredentials.getApplicationDefault())
.setProjectId(gcpProjectId)
.build().getService();
getApplicationDefault() is documented to use these means to authenticate with the API: getApplicationDefault()被记录为使用这些方法与 API 进行身份验证:
- Credentials file pointed to by the {@code GOOGLE_APPLICATION_CREDENTIALS} environment variable {@code GOOGLE_APPLICATION_CREDENTIALS} 环境变量指向的凭据文件
- Credentials provided by the Google Cloud SDK {@code gcloud auth application-default login} command Google Cloud SDK {@code gcloud auth application-default login} 命令提供的凭据
- Google App Engine built-in credentials Google App Engine 内置凭据
- Google Cloud Shell built-in credentials Google Cloud Shell 内置凭据
- Google Compute Engine built-in credentials Google Compute Engine 内置凭据
The application is using the GCP workload identity feature, so the application (in-cluster) service account is annotated with:应用程序使用 GCP 工作负载身份功能,因此应用程序(集群内)服务帐户注释为:
serviceAccount.annotations.iam.gke.io/gcp-service-account: my-service-account@my-project.iam.gserviceaccount.com
Now the call to the storage account fails with the following error:现在对存储帐户的调用失败并显示以下错误:
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Primary: /namespaces/my-project.svc.id.goog with additional claims does not have storage.objects.create access to the Google Cloud Storage object.",
"reason" : "forbidden"
} ],
"message" : "Primary: /namespaces/my-project.svc.id.goog with additional claims does not have storage.objects.create access to the Google Cloud Storage object."
}
This makes me think that the workload identity is not working correctly.这让我认为工作负载标识无法正常工作。 I am expecting to receive an error message for my annotated service account and not the default one.我希望收到有关我的带注释的服务帐户的错误消息,而不是默认的。
Is there anything else I should have been doing?还有什么我应该做的吗?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.