如何使用Cloud Function执行服务帐户管理员操作(创建,列出,删除)? [英] How to perform service account admin operations(create, list, delete) by using Cloud Function?
问题描述
我想使用云功能创建,列出和删除服务帐户密钥.
我们确实有客户端库可以在python中执行这些操作,但是我如何通过关联的服务帐户对云功能进行身份验证来执行这些操作?
官方文档中的示例代码如下:
import os从google.oauth2导入service_account导入googleapiclient.discoverydef list_keys(service_account_email):"列出服务帐户的所有密钥.凭据= service_account.Credentials.from_service_account_file(filename = os.environ ['GOOGLE_APPLICATION_CREDENTIALS'],scopes = ['https://www.googleapis.com/auth/cloud-platform'])服务= googleapiclient.discovery.build('iam','v1',凭据=凭据)键= service.projects().serviceAccounts().keys().list(name ='项目/-/serviceAccounts/'+ service_account_email).execute()用于键入key ['keys']:print('Key:'+ key ['name']) 在此代码中,我要使用关联的服务帐户,而不是在摘要下方.
凭据= service_account.Credentials.from_service_account_file(filename = os.environ ['GOOGLE_APPLICATION_CREDENTIALS'],scopes = ['https://www.googleapis.com/auth/cloud-platform']) 任何建议将不胜感激.
在运行时,默认情况下,Cloud Functions使用App Engine默认服务帐户( PROJECT_ID@appspot.gserviceaccount.com ),如GCP 文档所示:
在运行时,Cloud Functions默认使用App Engine默认服务帐户(PROJECT_ID@appspot.gserviceaccount.com),该帐户在项目上具有编辑者"角色.您可以更改此服务帐户的角色,以限制或扩展正在运行的功能的权限.您还可以通过按功能提供非默认服务帐户来更改使用哪个服务帐户.
尽管有必要,您也可以提供非(由于您需要的权限的性质,按照此方法创建一个特定的服务帐户而不是使用默认的App Engine可能会很方便). .>
要使用此服务帐户,请在构建服务时取消 credentials 参数:
service = googleapiclient.discovery.build('iam','v1') 要执行必需的服务帐户管理操作,必须为配置为运行Cloud Function的服务帐户授予 roles/iam.serviceAccountAdmin IAM角色.请参阅相关的文档.
I want to create, list and delete a service account keys using cloud function.
We do have client libraries to perform these operations in python but how can I authenticate a cloud function with associated service account to perform these operations?
Sample code from official documentation is below:
import os
from google.oauth2 import service_account
import googleapiclient.discovery
def list_keys(service_account_email):
"""Lists all keys for a service account."""
credentials = service_account.Credentials.from_service_account_file(
filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
scopes=['https://www.googleapis.com/auth/cloud-platform'])
service = googleapiclient.discovery.build(
'iam', 'v1', credentials=credentials)
keys = service.projects().serviceAccounts().keys().list(
name='projects/-/serviceAccounts/' + service_account_email).execute()
for key in keys['keys']:
print('Key: ' + key['name'])
In this code, I want to use associated service account rather than below snippet.
credentials = service_account.Credentials.from_service_account_file(
filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
scopes=['https://www.googleapis.com/auth/cloud-platform'])
Any suggestion will be appreciated.
When they are run, by default Cloud Functions use the App Engine default service account (PROJECT_ID@appspot.gserviceaccount.com), as indicated in the GCP documentation:
At runtime, Cloud Functions defaults to using the App Engine default service account (PROJECT_ID@appspot.gserviceaccount.com), which has the Editor role on the project. You can change the roles of this service account to limit or extend the permissions for your running functions. You can also change which service account is used by providing a non-default service account on a per-function basis.
Although, if necessary, you can provide a non-default service account on a per-function basis (due to the nature of the permissions you require, probably it would be convenient follow this approach and create a specific service account instead of use the default App Engine one).
To use this service account, get rid of the credentials parameter when building your service:
service = googleapiclient.discovery.build('iam', 'v1')
To perform the required service account management operations, the service account configured for run the Cloud Function must be granted the roles/iam.serviceAccountAdmin IAM role. Please, see the relevant documentation.
这篇关于如何使用Cloud Function执行服务帐户管理员操作(创建,列出,删除)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
