如何从容器化的Dockerfile向GCP进行身份验证 [英] How to authenticate to GCP from a containerized Dockerfile

问题描述

我正在尝试使用Cloud Build触发作业动态地构建新的Docker映像，但是我看不到如何安全地检索我的凭据以使用服务帐户针对GCP进行身份验证.

I am trying to build a new Docker image dynamically using a Cloud Build trigger job, however I fail to see how to safely retrieve my credentials to authenticate against GCP with a service account.

以下是步骤:

1. Dockerfile已创建，并带有构建Docker映像的步骤.步骤之一包括从Google Storage(存储桶)下载一个文件，我需要以GCP服务帐户访问该文件.

1. Dockerfile created with steps to build a Docker image. One of the steps includes downloading a file from Google Storage (bucket) that I need to access as a GCP service account.

Docker映像是使用Cloud Build触发器构建的，该触发器在链接存储库中的每次更改后触发并存储在GCR中.

Docker image is built by using a Cloud Build trigger that is triggered after each change in the linked repository and stored in GCR.

第一步失败是因为:

1.)默认情况下，由于某种原因，在GCP中运行Dockerfile的用户未针对GCP进行身份验证.它不是默认的Google Cloud Build帐户，而是匿名用户.

1.) By default, for some reason, the user running the Dockerfile in GCP is not authenticated against GCP. It is not a default Google Cloud Build account, it is an anonymous user.

2.)我可以将BUT认证为服务帐户

2.) I can authenticate as a service account BUT

a.)我不想将未加密的JSON私钥存储在本地或存储库中.b.)如果我将其加密存储在GCP存储库中，则需要先进行身份验证，然后再使用KMS对其进行解密.但是我没有密钥，因为它仍然是加密的.所以我回到了我的问题.c.)如果我将其存储在GCP存储桶中，我也需要进行身份验证.所以我回到我的问题了.

a.) I don't want to store the JSON private key unencrypted locally or in the repository. b.) If I stored it encrypted in the GCP repository, then I need to authenticate before decrypting it with KMS. But I don't have the key because it's still encrypted. So I am back to my problem. c.) If I stored it in a GCP Storage bucket, I need to authenticate, too. So I am back to my problem.

还有其他方法可以执行云构建触发作业并保留/获取GCP服务帐户上下文吗?

Is there any other approach how I can execute the Cloud build trigger job and stay/get a GCP service account context?

推荐答案

1. 您可以让云构建为您从云存储中下载文件，并让docker访问目录以便它可以使用该文件.您需要允许云构建服务帐户访问您的存储桶.

1. you can let cloud build to download the file from cloud storage for you and let docker to access the directory so it can use the file. You'll need to allow cloud build service account to access your bucket.

请参阅: https://cloud.google.com/cloud-build/docs/securing-builds/set-service-account-permissions

OR

1. 使用 gcloud auth configure-docker ，然后您可以使用 --impersonate-service-account 来模拟作为服务帐户，并访问存储桶，因此docker用户具有下载文件的足够权限

1. Use gcloud auth configure-docker and then you can impersonate as service account using --impersonate-service-account with access to the bucket, so docker user has sufficient access to download the file

请参阅: https://cloud.google.com/sdk/gcloud/reference/auth/configure-docker

这篇关于如何从容器化的Dockerfile向GCP进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！