在GCP中同时模拟两个服务账号

huangapple go评论87阅读模式
英文:

Go GCP Impersonate two service accounts at the same time

问题

我有两个不同的GCP项目,正在尝试将一个项目的持久磁盘克隆到另一个项目。我在每个项目中都有一个服务帐号,并且我需要创建一个模拟令牌,以便我可以从一个项目中读取持久磁盘,并在另一个项目中创建一个新的持久磁盘资源。

  • 项目A -> 服务帐号A
  • 项目B -> 服务帐号B

问题在于,模拟其中一个服务帐号来创建持久磁盘不起作用,因为一个API调用需要从项目A读取磁盘并在项目B中创建新的磁盘。换句话说,我需要使用一个具有两者权限的模拟令牌进行API调用。如何在Go API客户端中实现这一点?

以下是我目前的模拟代码:

func Impersonate(ctx context.Context, principle string, credentials []byte) (*oauth2.Token, error) {
   source, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{
      TargetPrincipal: principle,
      Scopes:          []string{"https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/cloud-platform"},
   }, option.WithCredentialsJSON(credentials))
   if err != nil {
      return nil, fmt.Errorf("creating impersonated token source: %w", err)
   }
   return source.Token()
}
英文:

I have two different GCP projects and am trying to clone a persistent disk from one project to the other. I have a service account in each project, and I need to create an impersonation token that will allow me to read the persistent disk from one project, and create a new persistent disk resource in the other project.

  • Project A -> Service Account A
  • Project B -> Service Account B

The problem is that impersonating one or the other service accounts to create the persistent disk does not work because a single API call needs to read the disk from Project A and create a new disk in Project B. In other words, I need to make an API call using a single impersonated token that has permissions to both. How can I do this with the Go API client?

Here is my impersonation code as it stands today

func Impersonate(ctx context.Context, principle string, credentials []byte) (*oauth2.Token, error) {​​​​
   source, err := impersonate.CredentialsTokenSource(ctx, impersonate.CredentialsConfig{​​​​
      TargetPrincipal: principle,
      Scopes:          []string{​​​​"https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/cloud-platform"}​​​​,
   }​​​​, option.WithCredentialsJSON(credentials))
   if err != nil {​​​​
      return nil, fmt.Errorf("creating impersonated token source: %w", err)
   }​​​​
   return source.Token()
}​​​​

答案1

得分: 1

你一次只能扮演一个身份。正确的方法是使用一个具有两个项目权限的服务帐号。

英文:

You can only impersonate one identity at a time. The correct method is to use a service account that has permissions in both projects.

huangapple
  • 本文由 发表于 2022年6月21日 23:00:24
  • 转载请务必保留本文链接:https://go.coder-hub.com/72703060.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定