[英]Cloud run service invoke
I would like to know if there is a way to invoke a cloud run service with a service account from a compute engine VM without a JWT token.我想知道是否有一种方法可以在没有 JWT 令牌的情况下从计算引擎 VM 使用服务帐户调用云运行服务。 The idea is to restrict the cloud run service access only from the VM.
这个想法是限制仅来自 VM 的云运行服务访问。 The request from the VM towards the cloud run service cant have more than one token.So I cannot use the service account jwt in the request
虚拟机对云运行服务的请求不能有多个令牌。所以我不能在请求中使用服务帐户 jwt
Note that there is no way for you to use only one token to authorize your requests (if you plan on communicating with your Cloud Run service through periods of time):请注意,您无法仅使用一个令牌来授权您的请求(如果您计划在一段时间内与您的 Cloud Run 服务通信):
The ID tokens are JSON Web Tokens (JWTs) that expire approximately an hour after creation.
ID 令牌是 JSON Web 令牌 (JWT),在创建后大约一小时到期。 If you fetch tokens from the metadata server, you will always get a valid token.
如果您从元数据服务器获取令牌,您将始终获得有效的令牌。
After 1 hour, you need to use another token as the old one is no longer valid. 1 小时后,您需要使用另一个令牌,因为旧令牌不再有效。 This can be a problem if you manually generate the ID token from
gcloud auth
for example.例如,如果您从
gcloud auth
手动生成 ID 令牌,这可能会成为问题。 You can however, simply fetch them from the metadata server programmatically (see the code samples).但是,您可以简单地以编程方式从元数据服务器获取它们(参见代码示例)。 This is possible as any Google Cloud services can have access to the metadata server (that includes Cloud Run and Compute Engine).
这是可能的,因为任何 Google Cloud 服务都可以访问元数据服务器(包括 Cloud Run 和 Compute Engine)。 The tokens fetched will still expire, but the refresh is automatically done for you.
获取的令牌仍会过期,但会自动为您完成刷新。
"The idea is to restrict the cloud run service access only from the VM."
“这个想法是限制仅来自 VM 的云运行服务访问。”
If your Cloud Run service requires authorization, any user or service account without a run.routes.invoke
permission won't be able to access your Cloud Run Service even if they have a valid request.如果您的 Cloud Run 服务需要授权,则任何没有
run.routes.invoke
权限的用户或服务帐户将无法访问您的 Cloud Run 服务,即使他们有有效的请求。 This permission can be found of Cloud Run Invoker role or an IAM role with general access to Cloud Run services such as Cloud Run Admin or Editor role.可以在Cloud Run Invoker角色或对 Cloud Run 服务(例如Cloud Run 管理员或编辑者角色)具有一般访问权限的 IAM 角色中找到此权限。
In this case, I recommend that you fetch tokens from the metadata server programmatically and then assign the Cloud Run Invoker role to the service account your Compute Engine VM is using as it is the least privilege role needed to invoke a Cloud Run service.在这种情况下,我建议您以编程方式从元数据服务器获取令牌,然后将 Cloud Run Invoker 角色分配给您的 Compute Engine 虚拟机正在使用的服务帐户,因为它是调用 Cloud Run 服务所需的最低权限角色。
In a very special case, you can achieve what you want.在非常特殊的情况下,你可以实现你想要的。 You need
你需要
Because of the latest condition, you shouldn't connect anything to your VPC由于最新情况,您不应将任何东西连接到您的 VPC
Because you don't want to rely on the identity (The JWT token), you need to rely on the existence in the network.因为你不想依赖身份(JWT 令牌),你需要依赖网络中的存在。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.