如何使用IAM将文件从Google云实例上传到云存储？ [英] How to upload file from google cloud instance to cloud storage with IAM?

问题描述

我希望文件从云VM自动上传到云存储。有没有办法将Google访问密钥ID放在实例中？

I want files to uploaded automatically from cloud VM to cloud storage. Is there any way to do this without putting google access key ID to instances?

推荐答案

有一种整齐的方法可以从内部处理身份验证GCE。 GCE实例可以具有一个关联的服务帐户，该帐户代表在该GCE实例上运行的程序。该服务帐户可以像其他任何帐户一样被授予写入您的GCS存储桶的权限。

There's a neat way to handle authenticating from within GCE. GCE instances can have an associated service account that represents the programs running on that GCE instance. That service account can be granted permission to write to your GCS buckets like any other account.

充当该服务帐户的凭据在已部署的GCE实例上很容易获得。最简单的方法是使用支持应用程序默认凭据的Google工具或库。如果您的身份验证代码完全是自定义的，则可以直接从URL http：//metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token （如果这样做，则还必须包含标题 Metadata -Flavor：Google）。

Credentials to act as this service account are easily available on the deployed GCE instances. The easiest way is to use a Google tool or library that supports Application Default Credentials. If your auth code is entirely custom, you can retrieve an access token for that service account directly from the URL "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" (if you do this, you must also include the header "Metadata-Flavor: Google").

GCS命令行实用程序gsutil已预先安装在GCE实例上，并且可以使用应用程序默认凭据。如果您从脚本或外壳程序调用它，它将无需进一步配置即可将文件上传到云存储。

The GCS command-line utility, gsutil, is pre-installed on GCE instances, and it can use application default credentials. If you invoke it from a script or from a shell, it will upload files to cloud storage with no further configuration.

有一个重要的技巧可以使服务帐户与之配合使用GCS。 GCE要求您指定服务帐户具有哪些范围，默认情况下，这些范围中不包括GCS，这意味着该服务帐户最初不会与GCS一起使用。您需要将GCS添加到允许的范围内，然后重新启动实例。

There's one important trick to making service accounts to work with GCS. GCE requires you to specify which scopes the service accounts have, and by default GCS is not included in those scopes, which means that the service account will not initially work with GCS. You'll need to add GCS to the allowed scopes and the restart the instance.

有关为GCE实例配置服务帐户的文档位于： https://cloud.google.com/compute/docs/access/create -enable-service-accounts-for-instances

The documentation on configuring service accounts for GCE instances is here: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances

有关如何使用应用程序默认凭据的文档位于： https://developers.google.com/identity/protocols/application-default-credentials

The documentation for how to use application default credentials is here: https://developers.google.com/identity/protocols/application-default-credentials

这篇关于如何使用IAM将文件从Google云实例上传到云存储？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！