用于云构建的跨项目服务帐户模拟
[英]Cross project service account impersonation for cloud build
问题描述
We have a use case where project A has some secrets and databases which cannot be moved to another project.
我们有一个用例,其中project A有一些不能移动到另一个项目的秘密和数据库。 We have a project B that uses the secrets and databases from project A .我们有一个project B ,它使用project A的秘密和数据库。
Project A has a service account X that accesses the secrets and databases. Project A有一个访问机密和数据库的service account X
Project B has a service account Y with no permissions to the secrets and databases. Project B有一个service account Y ,没有权限访问机密和数据库。 The goal is for service account Y to impersonate service account X during a build trigger connected to pushes to github. Project B has a cloud build pipeline that needs to temporarily access the secrets and database in Project A during the CICD process.目标是让service account Y在连接到推送到 github 的构建触发器期间模拟service account X Project B有一个云构建管道,需要在 CICD 过程中临时访问Project A中的机密和数据库。
According to this:https://cloud.google.com/build/docs/cloud-build-service-account , section User-specified service account...You can create a custom IAM role with an impersonation permission or use pre-defined roles that allow principals to impersonate a service account.根据这个:https://cloud.google.com/build/docs/cloud-build-service-account ,用户指定的服务帐户部分......您可以创建具有模拟权限的自定义 IAM 角色或使用预定义的角色允许委托人模拟服务帐户。
I create a service account X and gave service account Y permissions to impersonate it (as checked in policy analyzer) however, when I try to use service account X in project B 's cloud run trigger I get (as expected):我创建了一个service account X并授予service account Y模拟它的权限(如在策略分析器中检查的那样)但是,当我尝试在project B的云运行触发器中使用service account X时,我得到(如预期的那样):
Failed to update trigger: generic::permission_denied: user does not have impersonation permission on the trigger service account specified: projects/redacted/serviceAccounts/service@project-A.com
What "user" is this referring to?
这是指什么“用户”? The one using the console?使用控制台的那个? the build service agent?构建服务代理?Is it possible to get a
service account YinProject Bto impersonateservice account XinProject Aduring the build step process?是否可以在构建步骤过程中获取Project B中的service account Y来模拟Project A中的service account X?
According to this https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts ... To use the Triggers page in the Google Cloud console, the user-specified service account and the build trigger must be in the same project.根据这个https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts ...要使用 Google Cloud 控制台中的触发器页面,用户指定的服务帐户并且构建触发器必须在同一个项目中。
Is there a workaround for this eg is it necessary to use gcloud to impersonate the account?是否有解决方法,例如是否需要使用gcloud来模拟帐户? Or is there a way to perform cross project account impersonation (for triggers) using the cloudbuild.yaml or somehow tell the trigger that the service account being used must impersonate another?或者有没有办法使用cloudbuild.yaml执行跨项目帐户模拟(用于触发器)或以某种方式告诉触发器所使用的服务帐户必须模拟另一个?
1 个解决方案
解决方案1
0 2023-01-11 21:01:48
you have 2 solutions:你有2个解决方案:
- Use the service account X from the project A as Cloud Build user managed service account.使用项目 A 中的服务帐户 X 作为 Cloud Build 用户托管服务帐户。 You have to grant the Cloud Build Service Agent service account the permission to impersonate the service account X in project A. In addition, this service account X must have access to your project B resource also to interact with them.您必须授予 Cloud Build Service Agent 服务帐户在项目 A 中模拟服务帐户 X 的权限。此外,此服务帐户 X 还必须有权访问您的项目 B 资源才能与它们进行交互。 This solution is convenient because you can use the built-in connection with secret manager此解决方案很方便,因为您可以使用与秘密管理器的内置连接
- Use the current configuration, but perform manual impersonation in the Cloud Build pipeline when you want to get the secrets (with code, not with the Cloud Build built-in integration with secret manager).使用当前配置,但当您想要获取秘密时(使用代码,而不是使用 Cloud Build 与秘密管理器的内置集成)在 Cloud Build 管道中执行手动模拟。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.