[英]Cross project service account impersonation for cloud build
We have a use case where project A
has some secrets and databases which cannot be moved to another project.我们有一个用例,其中
project A
有一些不能移动到另一个项目的秘密和数据库。 We have a project B
that uses the secrets and databases from project A
.我们有一个
project B
,它使用project A
的秘密和数据库。
Project A
has a service account X
that accesses the secrets and databases. Project A
有一个访问机密和数据库的service account X
Project B
has a service account Y
with no permissions to the secrets and databases. Project B
有一个service account Y
,没有权限访问机密和数据库。 The goal is for service account Y
to impersonate service account X
during a build trigger connected to pushes to github. Project B
has a cloud build pipeline that needs to temporarily access the secrets and database in Project A
during the CICD process.目标是让
service account Y
在连接到推送到 github 的构建触发器期间模拟service account X
Project B
有一个云构建管道,需要在 CICD 过程中临时访问Project A
中的机密和数据库。
According to this:https://cloud.google.com/build/docs/cloud-build-service-account , section User-specified service account...You can create a custom IAM role with an impersonation permission or use pre-defined roles that allow principals to impersonate a service account.根据这个:https://cloud.google.com/build/docs/cloud-build-service-account ,用户指定的服务帐户部分......您可以创建具有模拟权限的自定义 IAM 角色或使用预定义的角色允许委托人模拟服务帐户。
I create a service account X
and gave service account Y
permissions to impersonate it (as checked in policy analyzer) however, when I try to use service account X
in project B
's cloud run trigger I get (as expected):我创建了一个
service account X
并授予service account Y
模拟它的权限(如在策略分析器中检查的那样)但是,当我尝试在project B
的云运行触发器中使用service account X
时,我得到(如预期的那样):
Failed to update trigger: generic::permission_denied: user does not have impersonation permission on the trigger service account specified: projects/redacted/serviceAccounts/service@project-A.com
What "user" is this referring to?这是指什么“用户”? The one using the console?
使用控制台的那个? the build service agent?
构建服务代理?
Is it possible to get a service account Y
in Project B
to impersonate service account X
in Project A
during the build step process?是否可以在构建步骤过程中获取
Project B
中的service account Y
来模拟Project A
中的service account X
?
According to this https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts ... To use the Triggers page in the Google Cloud console, the user-specified service account and the build trigger must be in the same project.根据这个https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts ...要使用 Google Cloud 控制台中的触发器页面,用户指定的服务帐户并且构建触发器必须在同一个项目中。
Is there a workaround for this eg is it necessary to use gcloud
to impersonate the account?是否有解决方法,例如是否需要使用
gcloud
来模拟帐户? Or is there a way to perform cross project account impersonation (for triggers) using the cloudbuild.yaml
or somehow tell the trigger that the service account being used must impersonate another?或者有没有办法使用
cloudbuild.yaml
执行跨项目帐户模拟(用于触发器)或以某种方式告诉触发器所使用的服务帐户必须模拟另一个?
you have 2 solutions:你有2个解决方案:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.