在Docker Container中的Container OS上访问Google Cloud服务帐户凭据 [英] Access Google Cloud service account credentials on Container OS inside Docker Container
问题描述
在Google Cloud Compute上使用容器优化的操作系统(COS),访问默认服务帐户的凭据的最佳方法是什么从Docker容器中访问VM项目?
Using the Container Optimized OS (COS) on Google Cloud Compute, what's the best way to access the credentials of the default service account for the VM-project from within a Docker container?
$ gcloud compute instances create test-instance \
--image=cos-stable --image-project=cos-cloud
$ ssh (ip of the above)
# gcloud ...
Command not found
# docker run -ti google/cloud-sdk:alpine /bin/sh
# gcloud auth activate-service-account
... --key-file: Must be specified.
如果凭据在VM上,则Docker可以挂载这些凭据.通常,凭据将位于.config/gcloud/中,并使用docker run -v ~/.config/gcloud:~/.config/gcloud image执行此操作.在容器OS中是否以及在何处都可以使用这些凭据,这并不明显,特别是因为缺少gcloud.
If the credentials were on the VM, then Docker could just mount those. Ordinarily credentials would be in .config/gcloud/, and do this with docker run -v ~/.config/gcloud:~/.config/gcloud image. It is not apparent if and where such credentials are available in Container OS, particularly since it is missing gcloud.
如果凭据无法在VM上安装并且可挂载,则选项似乎包括:
Failing the credentials being on the VM and mountable, options would seem to include:
- 将凭据放入容器元数据/环境变量中;
- 为服务帐户创建一个
.json凭据文件,然后
- Put the credentials in the container metadata / environment variable;
- Create a
.jsoncredentials file for the service account, then
- 将其上传到VM,然后安装;或
- 将
.json添加到容器中;
- upload it to the VM, then mount it; or
- add the
.jsonto the container;
gcloud auth activate-service-account
gcloud auth activate-service-account是否可以通过规范或最佳实践的方式为Docker容器提供VM项目的服务帐户凭据?
Is there a canonical or best-practices way to provide a Docker container with the service account credentials of the VM's project?
Google Cloud已经有了一种安全策略模型,即所需的模型:项目内的VM应该具有服务帐户提供的访问权限.为了避免复杂性和配置错误或事故的可能性,正确的解决方案将采用这种现有的安全模型,即不涉及创建,下载,分发和维护凭证文件.
Google Cloud already has a security-policy model, the desired one: a VM inside a project should have the access provided by the service account. To avoid complexity and the possibility of misconfiguration or mishap, the correct solution would employ this existing security model i.e. not involving creating, downloading, distributing, and maintaining credential files.
感觉这将是一个常规问题,需要使用COS,Docker和Kubernetes来解决,因此我认为我错过了一些简单明了的东西-但该解决方案对我而言并不明显.
It feels like this would be a routine problem that would need to be solved with COS, Docker, and Kubernetes, so I assume I've missed something straightforward — but the solution was not apparent to me from the docs.
编辑-注意到 set-service-account API-这个问题可以简化为如何在Container OS中使用set-service-account API?"如果不可能(因为Container OS缺少gcloud和gsutil),我认为应该注意这一点,以便VM用户可以进行相应的计划.
EDIT — Noting the set-service-account API — this question could be reduced to "How do you use the set-service-account API with Container OS?" If it's not possible (because Container OS lacks gcloud and gsutil), I think this should be noted so VM users can plan accordingly.
编辑,供以后的人们使用:
EDIT For the next folks to cross this:
要复制该问题,我使用了:
To replicate the issue, I used:
[local] $ ssh test-instance-ip
[test-instance] $ docker run -it gcr.io/google-appengine/python /bin/bash
[test-instance] $ pip install --upgrade google-cloud-datastore
[test-instance] $ python
>>> from google.cloud import datastore
>>> datastore_client = datastore.Client()
>>> q = datastore.query.Query(datastore_client, kind='MODEL-KIND')
>>> list(q.fetch())
[... results]
问题确实是在VM实例的API中设置的范围,尤其是默认帐户的datastore API被禁用(在标题 Cloud API访问范围 (对于VM).可以找到范围和必要的datastore行,如下所示:
The issue was indeed scopes set in the API for the VM instance, and in particular the datastore API was disabled for the default account (Under the heading Cloud API access scopes for the VM). One can find the scopes and the necessary datastore line as follows:
> gcloud compute instances describe test-instance
...
serviceAccounts:
- email: *****-compute@developer.gserviceaccount.com
scopes:
- https://www.googleapis.com/auth/datastore
...
...
请注意,服务帐户本身具有数据存储的权限(因此通常可以使用服务密钥的JSON凭证密钥访问数据存储).服务帐户权限受VM范围的限制.
Note that the service account itself had permission to the datastore (so the datastore could be accessed with a json credential key for the service key, generally). The service account permissions were limited by the scopes of the VM.
推荐答案
进行身份验证的常用方法是出现在 Google云SDK Docker自述文件.
The usual way to authenticate would be the one appearing on Google cloud SDK Docker readme.
在COS实例中运行一次:
From within the COS instance run this once:
docker run -ti --name gcloud-config google/cloud-sdk gcloud auth login
这会将您的凭据存储在gcloud-config容器卷中.
This will store your credentials in the gcloud-config container volume.
此卷仅应装入您想访问其凭据的容器,而这些容器可能不是cloud-sdk
This volume should only mounted with containers you want to have access to your credentials, which probably won't be anything that's not cloud-sdk
docker run --rm -ti --volumes-from gcloud-config google/cloud-sdk:alpine gcloud compute instances create test-docker --project [PROJECT]
Created [https://www.googleapis.com/compute/v1/projects/project/zones/us-east1-b/instances/test-docker].
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
test-docker us-east1-b n1-standard-1 10.142.0.8 X.X.X.X RUNNING
服务帐户通常应使用自己的一套凭据,这些凭据必须从某处获取,包括密钥文件,环境变量或令牌:
Service accounts are usually meant to use their own set of credentials which they have to get from somewhere, be a key file, and environment variable or a token:
gcloud auth Activate-service-account
如果您希望gcloud(以及Cloud SDK中的其他工具)使用服务帐户凭据来发出请求,请使用此命令从包含私有授权密钥的文件中导入这些凭据,然后激活它们以在gcloud中使用.此命令与gcloud auth登录具有相同的功能,但用于使用服务帐户而不是您的Google用户凭据.
If you want gcloud (and other tools in the Cloud SDK) to use service account credentials to make requests, use this command to import these credentials from a file that contains a private authorization key, and activate them for use in gcloud. This command serves the same function as gcloud auth login but for using a service account rather than your Google user credentials.
此外,最佳做法是为不同的实例创建不同的服务帐户,而不是获取默认服务帐户的密钥并使用它:
Also, the best practice is to create different service accounts for different instances, not to get the key of the default service account and use it:
通常,Google建议每个需要调用的实例 Google API应该作为服务帐户运行,且最少 该实例执行其工作所需的权限.在实践中, 这意味着您应该为实例配置服务帐户 通过以下过程:
In general, Google recommends that each instance that needs to call a Google API should run as a service account with the minimum permissions necessary for that instance to do its job. In practice, this means you should configure service accounts for your instances with the following process:
1-创建一个新的服务帐户,而不使用Compute Engine
默认服务帐户.
2-为该服务帐户授予IAM角色
仅它需要的资源.
3-将实例配置为以
该服务帐户.
4-将实例授予
https://www.googleapis.com/auth/cloud-platform 范围.
5-避免授予
超出必要的访问权限,并定期检查您的服务帐户
权限以确保它们是最新的.
1 - Create a new service account rather than using the Compute Engine
default service account.
2 - Grant IAM roles to that service account for
only the resources that it needs.
3 - Configure the instance to run as
that service account.
4 - Grant the instance the
https://www.googleapis.com/auth/cloud-platform scope.
5 - Avoid granting
more access than necessary and regularly check your service account
permissions to make sure they are up-to-date.
更新
我不确定set-service-account是否可以满足您的需求.有了它,您可以更改实例使用的服务帐户(尽管该实例必须停止,因此您不能使用该帐户来更改正在更改的实例的服务帐户).但是,您可以将其正常用于其他实例,请参见:
I'm not sure set-service-account does what you need/want. With it you can change the service account that an instance uses (the instance must be stopped though, so you can't use that to change the service account from withing the instance being changed). However you can use it normally for other instances, see:
jordim@cos ~ $ docker run --rm -ti --volumes-from gcloud-config google/cloud-sdk:alpine gcloud compute instances set-service-account instance-1 --service-account xx-compute@developer.gserviceaccount.com
Did you mean zone [us-east1-b] for instance: [instance-1] (Y/n)?
Updated [https://www.googleapis.com/compute/v1/projects/XX/zones/us-east1-b/instances/instance-1].
这篇关于在Docker Container中的Container OS上访问Google Cloud服务帐户凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
