Starting with this:
gcloud config set auth/impersonate_service_account [SA_FULL_EMAIL]
and it can be run with the same creds as what will run in the dev environment- without them having to download any keysNow that works. BUT I also want to make it possible to run the applications locally in containers too. Using docker/docker-compose/minikube/etc how can I make it possible to impersonate a service account?
the container would need access to the gcloud creds and it would need to set impersonation in the session too before the app starts somehow. This must not be done in code- the app should just use the APIs as normal without having to do anything differently.
EDIT: when applications run in dev or prod GCP accounts/projects they run in the context of a service account that has correctly scoped permissions for that specific application. Developer's own user accounts have broad permissions to the dev environment. When running locally its useful to run with the same service account that application runs with in the dev environment instead of the developer's own user account
The correct way to achieve this is the Secret Manager that is supplied by Google Cloud.
def access_secret_version(secret_id): """ Access the payload for the given secret version if one exists. The version can be a version number as a string (eg "5") or an alias (eg "latest"). """ project_id = PROJECT_ID version_id = 1 # Import the Secret Manager client library. from google.cloud import secretmanager_v1beta1 as secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() # Build the resource name of the secret version. name = client.secret_version_path(project_id, secret_id, version_id) # Access the secret version. response = client.access_secret_version(name) # Print the secret payload. # # WARNING: Do not print the secret in a production environment - this # snippet is showing how to access the secret material. payload = response.payload.data.decode('UTF-8') # logging.info('Plaintext: {}'.format(payload)) logging.info('Secret accessed for:' + secret_id) return payload
This what I wanted
GSA_TOKEN=$(gcloud auth print-access-token --impersonate-service-account mygsa)
docker run --env GOOGLE_APPLICATION_CREDENTIALS=$GSA_TOKEN my-image
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.