与@google-cloud的工作负载身份联合

大多数Google客户端支持类型为external_account的新秘密密钥文件。下面演示如何创建此文件并设置应用程序默认凭据(ADC)以加载此文件。

要在Google Client库中使用工作负载身份联合，请将联合凭据保存到一个文件中，然后通过环境变量GOOGLE_APPLICATION_CREDENTIALS指定该文件。Storage客户端将使用ADC并从环境中定位凭据。

示例(AWS):

# Generate an AWS configuration file.
gcloud iam workload-identity-pools create-cred-config 
projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AWS_PROVIDER_ID 
--service-account $SERVICE_ACCOUNT_EMAIL 
--aws 
--output-file /path/to/generated/config.json

Azure示例:

# Generate an Azure configuration file.
gcloud iam workload-identity-pools create-cred-config 
projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AZURE_PROVIDER_ID 
--service-account $SERVICE_ACCOUNT_EMAIL 
--azure 
--output-file /path/to/generated/config.json

注意:我在Azure VM上生成了我的凭据。我在上面的命令中添加了以下命令行选项:

--app-id-uri=https://iam.googleapis.com/projects/REDACTED/locations/global/workloadIdentityPools/pool-azure/providers/provider-id

输出文件用于设置环境:

set GOOGLE_APPLICATION_CREDENTIALS=/path/to/generated/config.json

文件具有以下结构。这个例子是针对Azure的:

{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/REDACTED/locations/global/workloadIdentityPools/pool-azure/providers/provider-id",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"url": "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://iam.googleapis.com/projects/REDACTED/locations/global/workloadIdentityPools/pool-azure/providers/provider-id",
"headers": {
"Metadata": "True"
},
"format": {
"type": "json",
"subject_token_field_name": "access_token"
}
},
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/REDACTED@REDACTED.iam.gserviceaccount.com:generateAccessToken"
}

使用此样式创建客户端:

var storage = new Storage();