Cloud Scheduler 使用错误的服务帐户进行身份验证
[英]Cloud Scheduler authenticates with wrong service account
问题描述
I have an application deployed on cloud run, and I created a cloud scheduler job that calls an endpoint on this application.
我在 cloud run 上部署了一个应用程序,我创建了一个调用此应用程序上的端点的云调度程序作业。
I created a service account and use it for the cloud task token.我创建了一个服务帐户并将其用于云任务令牌。 Below is a screenshot of the cloud scheduler task configuration (I ensured multiple time the right service account is selected).下面是云调度程序任务配置的屏幕截图(我多次确保选择了正确的服务帐户)。
I have a middleware on my application to prevent unauthorized access to the endpoint (simplified version):我的应用程序上有一个中间件来防止未经授权访问端点(简化版):
import (
"fmt"
"github.com/gin-gonic/gin"
"google.golang.org/api/oauth2/v2"
"net/http"
"strings"
)
func ForceCloudScheduler(c *gin.Context) {
if c.Request.UserAgent() != "Google-Cloud-Scheduler" {
c.AbortWithStatus(http.StatusForbidden)
return
}
// https://stackoverflow.com/questions/53181297/verify-http-request-from-google-cloud-scheduler
token := c.GetHeader("Authorization")
if token == "" {
c.AbortWithStatus(http.StatusForbidden)
return
}
idToken := strings.Split(token, "Bearer ")[0]
authenticator, err := oauth2.NewService(c)
if err != nil {
_ = c.AbortWithError(http.StatusInternalServerError, fmt.Errorf("failed to acquire authenticator: %w", err))
return
}
info, err := authenticator.Tokeninfo().IdToken(idToken).Do()
if err != nil {
_ = c.AbortWithError(http.StatusInternalServerError, fmt.Errorf("failed to retrieve token information: %w", err))
return
}
// This is the line where the job fails.
if info.Email != "agora-job-scheduler-account@agoradesecrivains.iam.gserviceaccount.com" {
c.AbortWithStatus(http.StatusForbidden)
return
}
c.Next()
}
When I run the job, the request fails with a 403. I have added some logs to check the content of the token sent by cloud scheduler.当我运行作业时,请求失败并显示 403。我添加了一些日志来检查云调度程序发送的令牌的内容。 Here is the logs explorer output:这是日志浏览器 output:
{
"audience": "107655128939031897672"
"email": "970356934135-compute@developer.gserviceaccount.com"
"expires_in": 1644
"issued_to": "107655128939031897672"
"scope": "openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"
"user_id": "107655128939031897672"
"verified_email": true
}
For some reason (maybe a bug?), the email in the token payload does not match the one I set in cloud scheduler.出于某种原因(可能是错误?),令牌负载中的 email 与我在云调度程序中设置的不匹配。 Is this expected and can I fix that?这是预期的吗?我可以解决这个问题吗?
1 个解决方案
解决方案1
1 2022-11-30 09:28:07
The documentation says that, 文件说,
Do not remove the default Cloud Scheduler service account from your project, or its Cloud Scheduler Service Agent (roles/cloudscheduler.serviceAgent) role.
You can refer to this Troubleshoot Cloud Run issues document where it states different reasons for causing the 403 error and respective resolution steps.您可以参考此排查 Cloud Run 问题文档,其中说明了导致 403 错误的不同原因以及相应的解决步骤。
For more information, you can refer to these Stack Overflow Link1 and Link2 which may help you.有关更多信息,您可以参考这些 Stack Overflow Link1和Link2可能对您有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.