云运行服务调用
[英]Cloud run service invoke
问题描述
I would like to know if there is a way to invoke a cloud run service with a service account from a compute engine VM without a JWT token.
我想知道是否有一种方法可以在没有 JWT 令牌的情况下从计算引擎 VM 使用服务帐户调用云运行服务。 The idea is to restrict the cloud run service access only from the VM.这个想法是限制仅来自 VM 的云运行服务访问。 The request from the VM towards the cloud run service cant have more than one token.So I cannot use the service account jwt in the request虚拟机对云运行服务的请求不能有多个令牌。所以我不能在请求中使用服务帐户 jwt
2 个解决方案
解决方案1
1 2021-03-19 07:06:16
Note that there is no way for you to use only one token to authorize your requests (if you plan on communicating with your Cloud Run service through periods of time):请注意,您无法仅使用一个令牌来授权您的请求(如果您计划在一段时间内与您的 Cloud Run 服务通信):
The ID tokens are JSON Web Tokens (JWTs) that expire approximately an hour after creation.
After 1 hour, you need to use another token as the old one is no longer valid. 1 小时后,您需要使用另一个令牌,因为旧令牌不再有效。 This can be a problem if you manually generate the ID token from gcloud auth for example.例如,如果您从gcloud auth手动生成 ID 令牌,这可能会成为问题。 You can however, simply fetch them from the metadata server programmatically (see the code samples).但是,您可以简单地以编程方式从元数据服务器获取它们(参见代码示例)。 This is possible as any Google Cloud services can have access to the metadata server (that includes Cloud Run and Compute Engine).这是可能的,因为任何 Google Cloud 服务都可以访问元数据服务器(包括 Cloud Run 和 Compute Engine)。 The tokens fetched will still expire, but the refresh is automatically done for you.获取的令牌仍会过期,但会自动为您完成刷新。
"The idea is to restrict the cloud run service access only from the VM."
If your Cloud Run service requires authorization, any user or service account without a run.routes.invoke permission won't be able to access your Cloud Run Service even if they have a valid request.如果您的 Cloud Run 服务需要授权,则任何没有run.routes.invoke权限的用户或服务帐户将无法访问您的 Cloud Run 服务,即使他们有有效的请求。 This permission can be found of Cloud Run Invoker role or an IAM role with general access to Cloud Run services such as Cloud Run Admin or Editor role.可以在Cloud Run Invoker角色或对 Cloud Run 服务(例如Cloud Run 管理员或编辑者角色)具有一般访问权限的 IAM 角色中找到此权限。
In this case, I recommend that you fetch tokens from the metadata server programmatically and then assign the Cloud Run Invoker role to the service account your Compute Engine VM is using as it is the least privilege role needed to invoke a Cloud Run service.在这种情况下,我建议您以编程方式从元数据服务器获取令牌,然后将 Cloud Run Invoker 角色分配给您的 Compute Engine 虚拟机正在使用的服务帐户,因为它是调用 Cloud Run 服务所需的最低权限角色。
解决方案2
0 2021-03-19 08:30:10
In a very special case, you can achieve what you want.在非常特殊的情况下,你可以实现你想要的。 You need你需要
- To have only 1 VM (the VM that you talk about) in your VPCs of your project在您的项目的 VPC 中只有 1 个虚拟机(您所说的虚拟机)
- Set the Cloud Run ingress control to internal .将Cloud Run 入口控制设置为 internal 。 Like this, only the component connected to your VPC will be able to call your Cloud Run service.像这样,只有连接到您的 VPC 的组件才能调用您的 Cloud Run 服务。
Because of the latest condition, you shouldn't connect anything to your VPC由于最新情况,您不应将任何东西连接到您的 VPC
- No other VMs in your project您的项目中没有其他虚拟机
- No external connection to the VPC (cloud VPN, interconnect, VPC Peering)没有到 VPC 的外部连接(云 VPN、互连、VPC 对等互连)
- No VPC SC无 VPC SC
- No serverless VPC connector used by another serverless product其他无服务器产品未使用无服务器 VPC 连接器
Because you don't want to rely on the identity (The JWT token), you need to rely on the existence in the network.因为你不想依赖身份(JWT 令牌),你需要依赖网络中的存在。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.