小贝子编程

Google Cloud Java SDK with Workload Identity?



试图弄清楚如何在GKE集群中使用存储API进行身份验证。

代码:

Storage storage = StorageOptions.newBuilder()
.setCredentials(ServiceAccountCredentials.getApplicationDefault())
.setProjectId(gcpProjectId)
.build().getService();

getApplicationDefault()被记录为使用这些手段与API进行身份验证:

  1. {@code GOOGLE_APPLICATION_Credentials}环境变量指向的凭据文件
  2. Google Cloud SDK提供的凭据{@code gcloud auth application default login}命令
  3. 谷歌应用程序引擎内置凭据
  4. Google Cloud Shell内置凭据
  5. Google计算引擎内置凭据

应用程序使用GCP工作负载标识功能,因此应用程序(集群中(服务帐户注释为:

serviceAccount.annotations.iam.gke.io/gcp-service-account: my-service-account@my-project.iam.gserviceaccount.com

现在,对存储帐户的调用失败,并出现以下错误:

{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Primary: /namespaces/my-project.svc.id.goog with additional claims does not have storage.objects.create access to the Google Cloud Storage object.",
"reason" : "forbidden"
} ],
"message" : "Primary: /namespaces/my-project.svc.id.goog with additional claims does not have storage.objects.create access to the Google Cloud Storage object."
}

这让我认为工作负载标识工作不正常。我希望收到一条关于我的注释服务帐户的错误消息,而不是默认帐户。

还有什么我应该做的吗?

除了注释语法之外,部分原因是,就像我一样,您可能没有仔细查看文档中的这一部分:

gcloud iam service-accounts add-iam-policy-binding 
--role roles/iam.workloadIdentityUser 
--member "serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]" 
GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

请注意PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]片段。就语法而言,他们没有给出任何例子,但在我的地形中看起来是这样的。

resource "google_project_iam_member" "app-binding-2" {
role   = "roles/iam.workloadIdentityUser"
member = "serviceAccount:${local.ws_vars["project-id"]}.svc.id.goog[mynamespace/myk8ssaname]"
}

奇怪的是,我不知道你可以将IAM策略绑定到k8s服务帐户,更奇怪的是你可以在地形中绑定它,即使命名空间不存在,更不用说服务帐户了。因此,您可以在部署之前先运行此程序。

我真的希望谷歌能提供更好的文档和支持,这花了我几个小时才弄清楚。

注释错误。代替:

serviceAccount.annotations.iam.gke.io/gcp-service-account: my-service-account@my-project.iam.gserviceaccount.com

它必须是

iam.gke.io/gcp-service-account: my-service-account@my-project.iam.gserviceaccount.com

现在,错误消息还显示应用程序正在使用工作负载标识:

java.io.IOException: Unexpected Error code 403 trying to get security access token from Compute Engine metadata for the default service account: Unable to generate access token; IAM returned 403 Forbidden: The caller does not have permission
This error could be caused by a missing IAM policy binding on the target IAM service account.
For more information, refer to the Workload Identity documentation:
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#creating_a_relationship_between_ksas_and_gsas

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium