stackoom
  简体   繁体   中英

Creating short-lived service account credentials from the GCP Console

 原文  2019-10-21 22:42:34       google-cloud-platform/ console

Question

I'm trying to create short-lived service account credentials. I'm working from https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#creating_a_limited-privilege_service_account , which describes how to do it with the REST API, but I want to do it from the GCP Console. In particular, I'm trying to perform the equivalent of the serviceAccounts.setIamPolicy() request.

How can I update the policy for a service account to add a binding (as is described in the link above), using the GCP console?

Thanks in advance.

Elliott

2 answers

solution1
 1 ACCPTED  2019-10-21 23:20:02

If we look at this article called How to impersonate Service Accounts in Google Cloud we find an explicit statement that reads:

Account Specific ( only possible from command line — NO option in Console)

This seems to say to me that if we want to treat the service account as a resource and allow it to setup short-lived credentials, we must use the APIs.

solution2
 0  2019-10-21 23:06:44

You are confusing service accounts and OAuth Access Tokens.

The Google Cloud Console and the CLI can create a service account. A service account does not expire, but it can be revoked. Service Accounts are used to create Google Cloud OAuth 2.0 Access Tokens (and Identity Tokens).

You cannot create an OAuth Access Token in the Google Cloud Console. You can create OAuth Access Tokens with the CLI gcloud or using APIs.

All Google Cloud OAuth Access Tokens are short-lived. The default and the max expiration time is 3,600 seconds. If you want a shorter token lifetime, you will need to create it yourself using API calls and/or OAuth endpoints.

I wrote an article that shows how to create Google OAuth Access Tokens including source code. You can change the code to create tokens with any expiration up to 3,600 seconds.

Google Cloud – Creating OAuth Access Tokens for REST API Calls

If you want to assign IAM roles to a service account you can. This can be done in the Google Cloud Console, using the CLI gcloud or by API call. This is independent of the OAuth Access Token. IAM Roles are not assigned to tokens. IAM Roles are assigned to the account member ID. These permissions will be valid for any OAuth Token that is created by the service account unless limited by scopes. If you want to change the scopes at the time the OAuth Access Token is generated, you must write your own code to do so at the time the token request is made.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question GCP Cloud Run Invoke another Projects Cloud function using short-lived credentials via 2 service accounts in separate Projects GCP: Impersonate Service Account with python from local creds. IAM Service Account Credentials API disabled How to impersonate a GCP service account from credentials generated by Application Default Credentials “Unexpected error while acquiring application default credentials” from code in containers on GCP instances with authorized service account Is service account impersonation in GCP the best way to handle developer credentials and permissions? which permission should I select in GCP IAM console while creating Service account JSON for container.clusters.get? Use short lived token to push docker image to GCP GCP - Impersonate Service Account from Local Machine Gcp support binding service account from firebase? Function service_account.Credentials.from_service_account_info() not working
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM