如何以编程方式检查Google Cloud服务帐号是否具有特定权限?

huangapple go评论85阅读模式
英文:

How do I check that a Google Cloud service account has a particular permission programmatically?

问题

我正在与用户提供的 GCS 存储桶进行集成。用户会给我一个服务帐号,我想要验证该服务帐号是否已启用对该存储桶的对象写入权限。我无法找到关于如何进行此操作的文档。我原以为在 GCS 客户端库中应该有一种简单的方法来检查这一点,但似乎并不像 myBucket.CanWrite() 那么简单。正确的方法是什么?我是否需要涉及到存储桶,还是说只需给定一个服务帐号的 JSON 文件,就可以检查其中是否存在 storage.objects.create 权限?

英文:

I'm making an integration with a user-supplied GCS bucket. The user will give me a service account, and I want to verify that service account has object write permissions enabled to the bucket. I am failing to find documentation on a good way to do this. I expected there to be an easy way to check this in the GCS client library, but it doesn't seem as simple as myBucket.CanWrite(). What's the right way to do this? Do I need to have the bucket involved, or is there a way, given a service account json file, to just check that storage.objects.create exists on it?

答案1

得分: 1

IAM权限可以在组织、文件夹、项目和资源(例如GCS存储桶)级别上授予。您需要小心确保正确检查。

对于显式授予存储桶的权限:

  1. 使用APIs Explorer查找Cloud Storage服务。
  2. 使用Cloud Storage API参考查找方法。
  3. 使用BucketAccessControls:get检索成员(例如服务账号)的权限(如果有)。

APIs Explorer有时会提供代码示例,但只要知道方法,您就可以找到Go SDK。

文档中包含了使用List方法的ACLs的摘要,但我认为您可能想使用Get(或等效方法)。

注意:我没有做过这个。

在Go库中,似乎没有与底层API的Get方法直接对应的方法。

Client中,您可以使用带有存储桶名称的Bucket方法获取BucketHandle,然后使用ACL方法检索存储桶的ACL(其中应包括服务账号的电子邮件地址和角色,如果有的话)。

或者,您可以使用IAM方法获取存储桶的IAM库的Handle,然后使用Policy方法获取资源的IAM Policy,其中将包括服务账号的电子邮件地址和IAM角色(如果有的话)。

英文:

IAM permissions can be granted at org, folder, project and resource (e.g. GCS Bucket) level. You will need to be careful that you check correctly.

For permissions granted explicitly to the bucket:

  1. Use APIs Explorer to find Cloud Storage service
  2. Use Cloud Storage API reference to find the method
  3. Use BucketAccessControls:get to retrieve a member's (e.g. a Service Account's) permission (if any).

APIs Explorer used (sometimes) has code examples but, knowing the method, you can find the Go SDK.

The documentation includes a summary for ACLs using the List method, but I think you'll want to use Get (or equivalent).

> NOTE I've not done this.

There doesn't appear to be a specific match to the underlying API's Get in the Go library.

From a Client, you can use Bucket method with a Bucket name to get a BucketHandle and then use the ACL method to retrieve the bucket's ACL (which should include the Service Account's email address and role, if any).

Or you can use the IAM method to get the bucket's IAM library's (!) Handle and then use the Policy method to get the resource's IAM Policy which will include the Service Account's email address and IAM role (if any).

答案2

得分: 1

由于DazWilkin的回答,您可以在不同级别上检查权限,但很难清楚地知道一个帐户是否具有权限。

为此,Google Cloud发布了一个名为IAM故障排除器的服务。它是Policy Intelligence套件的一部分,可以帮助您理解、分析和排除IAM权限问题。

您可以在文档中找到调用API的方法。

英文:

Because of DazWilkin answer, you can check the permission at different level and it can be difficult to clearly know if an account as a permission.

For that, Google Cloud released a service: IAM troubleshooter. It's part of Policy Intelligence suite that help your to understand, analyse and troubleshoot the IAM permissions.

You have the API to call in the documentation.

huangapple
  • 本文由 发表于 2022年5月27日 23:20:08
  • 转载请务必保留本文链接:https://go.coder-hub.com/72407618.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定