如何使用服务帐户模拟调用gcloud [英] How to invoke gcloud with service account impersonation

问题描述

我有一个使用默认服务帐户A在GCE中运行的服务.该服务使用gcloud与各种GCP服务进行对话.当前，它使用服务帐户B与某些GCP服务进行对话(使用私钥).但是，我们想摆脱使用私钥和使用帐户模拟的麻烦.为此，我已将帐户A添加到服务帐户B的角色中，并赋予了令牌创建者角色.

I have a service running in GCE with default service account A. This service uses gcloud to talk to various GCP services. Currently, it uses service account B to talk to some of the GCP services (using private key). However, we want to get rid of using private key and use account impersonation. To do that, I have added account A to the service account B's role and given token creator role.

我用go编写了一个测试程序，并能够验证模拟工作.但是，我们的服务使用PHP，并且使用gcloud SDK.我找不到配置gcloud来模拟服务帐户或提供自定义令牌的方法.

I wrote a test program in go and was able to verify the impersonation works. However, our service is in PHP, and uses gcloud SDK. I couldn't find a way to configure gcloud to impersonate a service account or provide custom token.

一种选择是，我重写所有gcloud代码以使用google SDK，但这是很多工作，我宁愿避免这种情况.我的问题是，在这种情况下如何使用服务帐户B调用gcloud?有没有办法将访问令牌传递给gcloud或指定模拟用户?

One option is that I rewrite all the gcloud code to use google SDK, but that is lots of work, and I'd rather avoid that. My question is, how do I invoke gcloud using service account B in this scenario?. Is there a way to pass access token to gcloud or specify impersonation user?

推荐答案

gcloud为此具有 --impersonate-service-account 标志.

gcloud has a --impersonate-service-account flag for this.

这篇关于如何使用服务帐户模拟调用gcloud的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！