如何在Cloud Run容器中配置服务帐户密钥? [英] How do I configure the Service Account keys in a Cloud Run container?

问题描述

我在Go中创建了一个使用Secrets Manager的后端，并将其部署到Cloud Run.问题是Secret Manager api需要服务帐户凭据json文件指向并且可以在我的本地计算机上使用，因为我只是在 GOOGLE_APPLICATION_CREDENTIALS 环境变量中指定文件路径，但是在Cloud Run环境中却没有同样的方便.可以这么说，我在Cloud Run上的后端如何指定其 GOOGLE_APPLICATION_CREDENTIALS 环境变量?

I created a backend in Go, which uses the Secrets Manager, and deployed it to Cloud Run. The problem is the Secret Manager api needs a Service Account credential json file to point to and that works on my local machine because I just specify the file path in a GOOGLE_APPLICATION_CREDENTIALS environment variable, but I don't have the same convenience in a Cloud Run environment. How will my backend on Cloud Run specify its GOOGLE_APPLICATION_CREDENTIALS environment variable so to speak?

推荐答案

根据官方文档

77462542rel-low-ol-n = lowerSet = 925n = 925_nol_low-n = 297用于服务器到服务器生产应用程序

如果未设置环境变量，则ADC使用默认服务Compute Engine，Google Kubernetes Engine， Cloud Run ，App的帐户引擎和云功能为运行在以下应用程序的应用程序提供这些服务.

If the environment variable isn't set, ADC uses the default service account that Compute Engine, Google Kubernetes Engine, Cloud Run, App Engine, and Cloud Functions provide, for applications that run on those services.

因此，要从Cloud Run访问Secret Manager，应用程序默认凭据(ADC)将使用Cloud Run的默认服务帐户.

Therefore to access the Secret Manager from Cloud Run, Application Default Credentials (ADC) will use the default service account of Cloud Run.

默认情况下，云运行使用计算引擎服务帐户 PROJECT_NUMBER-compute@developer.gserviceaccount.com ，该角色具有 EDITOR 角色.您有2种选择，要么使用默认服务帐户，要么使用非默认运行云部署您创建的具有 Secret Manager Admin 角色的服务帐户.

By default cloud run uses compure engine service account PROJECT_NUMBER-compute@developer.gserviceaccount.com which has the EDITOR role. You have 2 choices, either use default service account or deploy cloud run with a non default service account that you created with the Secret Manager Admin role.

这篇关于如何在Cloud Run容器中配置服务帐户密钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！