如何使用服务帐户在 shell 脚本中对 gsutil 进行身份验证
[英]How to Authenticate to gsutil in a shell script using service account
问题描述
What is the best way to authenticate to Google Cloud Storage Bucket from a shell script (To be scheduled to run daily/hourly) using a service account ?
使用服务帐户从shell 脚本(计划每天/每小时运行)向 Google Cloud Storage Bucket 进行身份验证的最佳方法是什么? I have gone through the below link, but I still have some doubts regarding the login process.我已经通过以下链接,但我仍然对登录过程有一些疑问。
How to use Service Accounts with gsutil, for uploading to CS + BigQuery 如何将服务帐户与 gsutil 一起使用,以上传到 CS + BigQuery
Are the below mentioned login steps a one-time process?
下面提到的登录步骤是一次性过程吗? If yes how does the login work for subsequent executions?如果是,登录如何用于后续执行?My understanding is that the below commands writes content to the .boto file which is used in subsequent executions?
我的理解是以下命令将内容写入后续执行中使用的.boto文件? But according to below link - it writes to a separate json file inside.config/gcloud?但是根据下面的链接-它写入一个单独的 json 文件 inside.config/gcloud? Does gsutil support creating boto files with service account info? gsutil 是否支持使用服务帐户信息创建 boto 文件?In such a case what is the use of a.boto file?
在这种情况下,a.boto 文件有什么用? and why/ when do we need to pass it via BOTO_PATH/BOTO_CONFIG?为什么/什么时候我们需要通过 BOTO_PATH/BOTO_CONFIG 传递它?In gsutil (standalone), login using below steps
在 gsutil(独立)中,使用以下步骤登录gsutil config -eOptionally -o to output to a file other than ~/.boto
可选 -o 到 output 到 ~/.boto 以外的文件gsutil as part of gcloud
gsutil 作为 gcloud 的一部分gcloud auth activate-service-account SERVICE_ACCOUNT@DOMAIN.COM --key-file=/path/key.json --project=PROJECT_IDWhat is the best way to prevent intervention from other scripts?
防止其他脚本干预的最佳方法是什么?For example, let us assume we have shell script S1, connecting to project P1 to upload data to Bucket B1, If another shell script say S2 is triggered at exactly the same time connecting to Project P2 uploading to Bucket B2, will it cause an issue?
例如,假设我们有 shell 脚本 S1,连接到项目 P1 以将数据上传到 Bucket B1,如果另一个 shell 脚本说 S2 在连接到项目 P2 上传到 Bucket B2 的同时被触发,是否会导致问题? What is the best practice to avoid such issues?避免此类问题的最佳做法是什么?Is it possible to limit the login to only the time of script execution?
是否可以将登录限制为仅在脚本执行时登录? Say, the script is scheduled using cron to run at 10:00 AM UTC and the script completes its execution by 10:30 AM UTC.比如说,脚本使用 cron 计划在世界标准时间上午 10:00 运行,脚本在世界标准时间上午 10:30 之前完成执行。 Is it possible to prevent any actions in the time between 10:30 till next run?是否可以在 10:30 到下一次运行期间阻止任何操作? In other words is it possible to log out and then login programatically without intervention?换句话说,是否可以在没有干预的情况下以编程方式注销然后登录?
Environment: Centos环境:Centos
1 个解决方案
解决方案1
0 已采纳 2022-05-01 12:12:50
The principle of BOTO file is exactly to answer your question 2. You can have 2 credentials that have access to 2 different buckets. BOTO文件的原理正是回答你的问题2。你可以有2个凭证可以访问2个不同的桶。 Create 2 boto file and use the correct one for each script.创建 2 个 boto 文件并为每个脚本使用正确的文件。
For the 3rd question it's possible to set condition on the bucket access.对于第三个问题,可以为存储桶访问设置条件。
Select a bucket and go to right-hand side in the info panel, and click on add credential. Select 一个桶和 go 在信息面板的右侧,然后单击添加凭据。
Then, add your credential, your role, and click on add condition (you must set the uniform permission definition on the bucket to have available that feature)然后,添加你的凭证,你的角色,然后点击添加条件(你必须在桶上设置统一的权限定义才能使用该功能)
And then define a condition to allow the permission after 10am your timezone and before 11am your timezone (you don't have minute granularity)然后定义一个条件以在您的时区上午 10 点之后和您的时区上午 11 点之前允许权限(您没有分钟粒度)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.