gcp - how to run Python application as Service Account without a key file
Question
gcloud and gsutil have --impersonate-service-account by which we can impersonate a service account.
For Python program, is there a way to run the program as a service account without using the service account secret key file as key file is not recommended for security reason.
Service account keys could pose a security risk if compromised. We recommend that you avoid downloading service account keys
2 answers
solution1
1 ACCPTED 2022-06-18 02:32:19
For Python program, is there a way to run the program as a service account without using the key file as key file is not recommended for security reason.
If your Python program is running outside Google Cloud, then no, you must use credentials.
You have a catch22. You need to be authorized using credentials to impersonate another credential.
You have three choices:
- user account credentials
- another service account credentials
- federated tokens
Each of those methods requires secrets.
For compute services, such as Compute Engine, Cloud Functions, Cloud Run, etc you can use the metadata service for authorization. However, then you do not need to impersonate credentials, you can just use the credentials as they are safe (no secrets stored on the machine).
I wrote an article on this topic and how to setup impersonation using user account credentials:
Google Cloud – Improving Security with Impersonation
If impersonation is set up correctly, the flag --impersonate-service-account is not required.
solution2
0 2022-07-12 23:39:28
Yes, there is a way to use a keyless authentication in your python program. It's called Workload Identity Federation (WIF) .
With WIF you use an external provider to generate a OpenID Connect (OIDC) identity token . This external provider can be an IDaaS (IDentity as a Service) like Okta , Auth0 or Authlete , or it can be something you build yourself. More precisely, you would need to create an OAuth 2.0 authorization server , for example using a library like Authlib . I've never done it myself, but I'm sure it's a lot of work.
Once you have set up the external identity provider, you will need to configure a workload identity pool :
To allow the use of these tokens, you must configure the workload identity pool to trust your external identity provider. Tokens issued by the external identity provider are then recognized by workload identity federation, and you can use the tokens to obtain short-lived service account credentials.
Personally, I would think twice about implementing an OAuth 2.0 authorization server myself. I don't want to worry about issuing the correct type of token, and certainly I do not want to worry about managing the database of tokens (blacklisting them, invalidating them, etc). Most likely I would either download the JSON key of a service account and use it in my python program, or pay an IDaaS to use to issue ID tokens (ie the external identity provider used in Workload Identity Federation).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.