如何在本地测试时如何使我的gcloud用户信用安全地放入容器中并使用它们来模拟服务帐户? [英] how can I get my gcloud user creds into a container securely and use them to impersonate a service account when testing locally?

问题描述

从此开始:

• 用户拥有自己的Google用户帐户，这些帐户通过以下方式在本地设置 gcloud登录
• 应用程序以常规方式使用gcp API-默认情况下，它将查找GOOGLE_APPLICATION_CREDENTIALS，GCE角色，服务帐户，或使用本地用户gcloud配置的凭据
• 当用户在本地运行它时，它将使用他们自己的用户帐户；在gcp中运行时，它将使用一个服务帐户
• 用户的帐户也有权模拟服务 帐户.因此，在本地运行应用程序时，用户首先执行gcloud config set auth/impersonate_service_account [SA_FULL_EMAIL]即可运行它 具有与在开发环境中运行时相同的信誉-无需下载任何密钥

• users have their own google user accounts that are setup locally via gcloud login
• the application is using the gcp APIs in the usual way- by default it will look for GOOGLE_APPLICATION_CREDENTIALS, GCE roles, service accounts, or use the local users gcloud configured credentials
• when users run it locally it will use their own user account, when run in gcp it will use a service account
• The user's account also has access to impersonate the service account. So when running the app locally users first do gcloud config set auth/impersonate_service_account [SA_FULL_EMAIL] and it can be run with the same creds as what will run in the dev environment- without them having to download any keys

现在有效.但是我也想使在容器中本地运行应用程序成为可能.使用docker/docker-compose/minikube/etc如何模拟服务帐户?

Now that works. BUT I also want to make it possible to run the applications locally in containers too. Using docker/docker-compose/minikube/etc how can I make it possible to impersonate a service account?

该容器需要访问 gcloud 信誉，并且在应用程序以某种方式启动之前，也需要在会话中设置模拟功能.一定不要在代码中完成此操作-应用程序应仅正常使用API​​，而不必做其他任何事情.

the container would need access to the gcloud creds and it would need to set impersonation in the session too before the app starts somehow. This must not be done in code- the app should just use the APIs as normal without having to do anything differently.

当应用程序在dev或prod GCP帐户/项目中运行时，它们将在对特定应用程序具有正确范围权限的服务帐户的上下文中运行.开发人员自己的用户帐户对开发环境具有广泛的权限.在本地运行时，使用与应用程序在开发环境中运行的相同服务帐户(而不是开发人员自己的用户帐户)运行很有用

when applications run in dev or prod GCP accounts/projects they run in the context of a service account that has correctly scoped permissions for that specific application. Developer's own user accounts have broad permissions to the dev environment. When running locally its useful to run with the same service account that application runs with in the dev environment instead of the developer's own user account

推荐答案

实现此目标的正确方法是Google Cloud提供的Secret Manager.

The correct way to achieve this is the Secret Manager that is supplied by Google Cloud.

• 在您的Google Cloud帐户中激活Secret Manager API.
• 使用GC UI或sdk创建Secret数据和相关的有效载荷.
• 在具有您的项目ID的settings.py中使用以下功能.
• 授予服务帐户访问机密"的权限(如果尚无访问权限)
• 使用Secret Manager访问代码中的有效载荷，而无需显式公开有效载荷.

def access_secret_version(secret_id):
    """
    Access the payload for the given secret version if one exists. The version
    can be a version number as a string (e.g. "5") or an alias (e.g. "latest").
    """
    project_id = PROJECT_ID
    version_id = 1
    # Import the Secret Manager client library.
    from google.cloud import secretmanager_v1beta1 as secretmanager

    # Create the Secret Manager client.
    client = secretmanager.SecretManagerServiceClient()

    # Build the resource name of the secret version.
    name = client.secret_version_path(project_id, secret_id, version_id)

    # Access the secret version.
    response = client.access_secret_version(name)

    # Print the secret payload.
    #
    # WARNING: Do not print the secret in a production environment - this
    # snippet is showing how to access the secret material.
    payload = response.payload.data.decode('UTF-8')
    # logging.info('Plaintext: {}'.format(payload))
    logging.info('Secret accessed for  :' + secret_id)
    return payload

这篇关于如何在本地测试时如何使我的gcloud用户信用安全地放入容器中并使用它们来模拟服务帐户?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！