将来自不同项目的服务帐户分配给 Pub/Sub 上的推送订阅
[英]Assign a service account from a different project to a push subscription on Pub/Sub
问题描述
The scenario is the following: I have two projects in the same organization and folder;
场景如下:我在同一个组织和文件夹中有两个项目; let's call them project1 and project2 .我们称它们为project1和project2 。 I have a Pub/Sub topic on project2 and I have a Cloud Run service on project1 that I want to use as the endpoint for a push subscription for the topic.我在project2上有一个 Pub/Sub 主题,在project1上有一个 Cloud Run 服务,我想将其用作该主题的推送订阅的端点。 However, I don't want everyone to be able to access my Cloud Run service: I only want authorised service accounts to be able to invoke the service.但是,我不希望每个人都能够访问我的 Cloud Run 服务:我只希望授权服务帐户能够调用该服务。 Thus I created a service account on project1 that has the role/run.invoker role for the Cloud Run service.因此,我在project1上创建了一个服务帐户,该帐户具有 Cloud Run 服务的role/run.invoker角色。 Now, when I go and create my subscription in the topic in project2 with the Cloud Run service as the endpoint and I try to associate to it the service account in project1 using the following command:现在,当我使用 Cloud Run 服务作为端点在project2中的主题中创建我的订阅时,我尝试使用以下命令将其关联到project1中的服务帐户:
gcloud --project=project2 pubsub subscriptions create test_subscrption --topic=topic-name --topic-project=project2 --push-auth-service-account=service_account1 --push-endpoint=https://my-cloud-run-service.run.app/
I get the following:我得到以下信息:
ERROR: Failed to create subscription [projects/project2/subscriptions/test_subscrption]: User not authorized to perform this action.
ERROR: (gcloud.pubsub.subscriptions.create) Failed to create the following: [test_subscrption].
Note that the account with which I'm logged into GCP has the Owner permission at the organization level.请注意,我登录 GCP 所用的帐户在组织级别具有Owner权限。 Moreover, if I create a service account in project2 and use that instead of the service account on project1 , the subscription is created without problems.此外,如果我在project2中创建一个服务帐户并使用它而不是project1上的服务帐户,则可以毫无问题地创建订阅。 I'm aware that there are some permissions to set before associating a service account to a push subscription ( serviceAccountTokenCreator as described here and iam.serviceAccounts.actAs as described here ), but I can guarantee I did set those permission before trying to create my subscription, and I still got the same error.我知道在将服务帐户关联到推送订阅之前需要设置一些权限( 此处描述的serviceAccountTokenCreator和此处描述的iam.serviceAccounts.actAs ),但我可以保证在尝试创建我的之前我确实设置了这些权限订阅,我仍然遇到同样的错误。 From all this I'm concluding that it is not possible to associate a service account from a different project to a push subscription in Pub/Sub (more to the point, if I try to create the subscription from the GCP UI in the dropdown menu for the service account to associate to the push subscription I only see the service accounts that are part of the same project as the topic and subscription).从这一切我得出结论,不可能将来自不同项目的服务帐户关联到 Pub/Sub 中的推送订阅(更重要的是,如果我尝试从下拉菜单中的 GCP UI 创建订阅对于关联到推送订阅的服务帐户,我只看到与主题和订阅属于同一项目的服务帐户)。 Can anybody confirm this, or tell me how to achieve my goal?谁能证实这一点,或者告诉我如何实现我的目标? My current solution has been to create a service account in project2 and associate that to the push subscription instead, but I would like to know if my original plan was even possible at all.我目前的解决方案是在project2中创建一个服务帐户并将其关联到推送订阅,但我想知道我的原始计划是否可行。
1 个解决方案
解决方案1
0
As mentioned in the comment, when you do it with the UI, you can only select the service account of the current project and it is impossible to use an external service account.评论中提到,用UI做的时候,只能选择当前项目的服务账号,不能使用外部服务账号。 Instead, you can create the push subscription in project1 and create the topic in project2.相反,您可以在 project1 中创建推送订阅并在 project2 中创建主题。
解决方案2
-1 2022-12-19 16:20:21
I found the documentation that reinforces Pooja's answer:我找到了强化 Pooja 答案的文档:
This service account must be in the same project as the push subscription
Source: https://cloud.google.com/pubsub/docs/push#setting_up_for_push_authentication来源: https ://cloud.google.com/pubsub/docs/push#setting_up_for_push_authentication
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.