如何使用服务帐户模拟调用gcloud [英] How to invoke gcloud with service account impersonation
问题描述
我有一个使用默认服务帐户A在GCE中运行的服务.该服务使用gcloud与各种GCP服务进行对话.当前,它使用服务帐户B与某些GCP服务进行对话(使用私钥).但是,我们想摆脱使用私钥和使用帐户模拟的麻烦.为此,我已将帐户A添加到服务帐户B的角色中,并赋予了令牌创建者角色.
I have a service running in GCE with default service account A. This service uses gcloud to talk to various GCP services. Currently, it uses service account B to talk to some of the GCP services (using private key). However, we want to get rid of using private key and use account impersonation. To do that, I have added account A to the service account B's role and given token creator role.
我用go编写了一个测试程序,并能够验证模拟工作.但是,我们的服务使用PHP,并且使用gcloud SDK.我找不到配置gcloud来模拟服务帐户或提供自定义令牌的方法.
I wrote a test program in go and was able to verify the impersonation works. However, our service is in PHP, and uses gcloud SDK. I couldn't find a way to configure gcloud to impersonate a service account or provide custom token.
一种选择是,我重写所有gcloud代码以使用google SDK,但这是很多工作,我宁愿避免这种情况.我的问题是,在这种情况下如何使用服务帐户B调用gcloud?有没有办法将访问令牌传递给gcloud或指定模拟用户?
One option is that I rewrite all the gcloud code to use google SDK, but that is lots of work, and I'd rather avoid that. My question is, how do I invoke gcloud using service account B in this scenario?. Is there a way to pass access token to gcloud or specify impersonation user?
推荐答案
gcloud
为此具有 --impersonate-service-account
标志.
gcloud
has a --impersonate-service-account
flag for this.
这篇关于如何使用服务帐户模拟调用gcloud的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!