Cloud Scheduler与错误的服务帐号进行身份验证。

huangapple go评论98阅读模式
英文:

Cloud Scheduler authenticates with wrong service account

问题

我在云运行上部署了一个应用程序,并创建了一个云调度作业,该作业调用该应用程序上的一个端点。

我创建了一个服务帐号,并将其用于云任务令牌。下面是云调度任务配置的屏幕截图(我确保多次选择了正确的服务帐号)。

Cloud Scheduler与错误的服务帐号进行身份验证。

我在我的应用程序上有一个中间件,用于防止未经授权访问端点(简化版本):

import (
	"fmt"
	"github.com/gin-gonic/gin"
	"google.golang.org/api/oauth2/v2"
	"net/http"
	"strings"
)

func ForceCloudScheduler(c *gin.Context) {
	if c.Request.UserAgent() != "Google-Cloud-Scheduler" {
		c.AbortWithStatus(http.StatusForbidden)
		return
	}

	// https://stackoverflow.com/questions/53181297/verify-http-request-from-google-cloud-scheduler
	token := c.GetHeader("Authorization")
	if token == "" {
		c.AbortWithStatus(http.StatusForbidden)
		return
	}
	idToken := strings.Split(token, "Bearer ")[0]

	authenticator, err := oauth2.NewService(c)
	if err != nil {
		_ = c.AbortWithError(http.StatusInternalServerError, fmt.Errorf("failed to acquire authenticator: %w", err))
		return
	}
	info, err := authenticator.Tokeninfo().IdToken(idToken).Do()
	if err != nil {
		_ = c.AbortWithError(http.StatusInternalServerError, fmt.Errorf("failed to retrieve token information: %w", err))
		return
	}

	// This is the line where the job fails.
	if info.Email != "agora-job-scheduler-account@agoradesecrivains.iam.gserviceaccount.com" {
		c.AbortWithStatus(http.StatusForbidden)
		return
	}

	c.Next()
}

当我运行作业时,请求失败并返回 403 错误。我添加了一些日志来检查云调度发送的令牌内容。以下是日志资源管理器的输出:

{
	"audience": "107655128939031897672"
	"email": "970356934135-compute@developer.gserviceaccount.com"
	"expires_in": 1644
	"issued_to": "107655128939031897672"
	"scope": "openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"
	"user_id": "107655128939031897672"
	"verified_email": true
}

由于某种原因(可能是一个错误?),令牌有效载荷中的电子邮件与我在云调度中设置的电子邮件不匹配。这是预期的吗?我可以修复这个问题吗?

英文:

I have an application deployed on cloud run, and I created a cloud scheduler job that calls an endpoint on this application.

I created a service account and use it for the cloud task token. Below is a screenshot of the cloud scheduler task configuration (I ensured multiple time the right service account is selected).

Cloud Scheduler与错误的服务帐号进行身份验证。

I have a middleware on my application to prevent unauthorized access to the endpoint (simplified version):

import (
	"fmt"
	"github.com/gin-gonic/gin"
	"google.golang.org/api/oauth2/v2"
	"net/http"
	"strings"
)

func ForceCloudScheduler(c *gin.Context) {
	if c.Request.UserAgent() != "Google-Cloud-Scheduler" {
		c.AbortWithStatus(http.StatusForbidden)
		return
	}

	// https://stackoverflow.com/questions/53181297/verify-http-request-from-google-cloud-scheduler
	token := c.GetHeader("Authorization")
	if token == "" {
		c.AbortWithStatus(http.StatusForbidden)
		return
	}
	idToken := strings.Split(token, "Bearer ")[0]

	authenticator, err := oauth2.NewService(c)
	if err != nil {
		_ = c.AbortWithError(http.StatusInternalServerError, fmt.Errorf("failed to acquire authenticator: %w", err))
		return
	}
	info, err := authenticator.Tokeninfo().IdToken(idToken).Do()
	if err != nil {
		_ = c.AbortWithError(http.StatusInternalServerError, fmt.Errorf("failed to retrieve token information: %w", err))
		return
	}

	// This is the line where the job fails.
	if info.Email != "agora-job-scheduler-account@agoradesecrivains.iam.gserviceaccount.com" {
		c.AbortWithStatus(http.StatusForbidden)
		return
	}

	c.Next()
}

When I run the job, the request fails with a 403. I have added some logs to check the content of the token sent by cloud scheduler. Here is the logs explorer output:

{
	"audience": "107655128939031897672"
	"email": "970356934135-compute@developer.gserviceaccount.com"
	"expires_in": 1644
	"issued_to": "107655128939031897672"
	"scope": "openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"
	"user_id": "107655128939031897672"
	"verified_email": true
}

For some reason (maybe a bug?), the email in the token payload does not match the one I set in cloud scheduler. Is this expected and can I fix that ?

答案1

得分: 1

文档中提到:

> 不要从项目中删除默认的 Cloud Scheduler 服务帐号,或者其 Cloud Scheduler Service Agent (roles/cloudscheduler.serviceAgent) 角色。这样做会导致需要身份验证的端点返回 403 错误,即使您的作业的服务帐号具有适当的角色。

您可以参考这个解决 Cloud Run 问题文档,其中列出了导致 403 错误的不同原因和相应的解决步骤。

如需更多信息,您可以参考这些 Stack Overflow 的链接1链接2,这可能会对您有所帮助。

英文:

The documentation says that,
>Do not remove the default Cloud Scheduler service account from your project, or its Cloud Scheduler Service Agent (roles/cloudscheduler.serviceAgent) role. Doing so results in 403 responses to endpoints requiring authentication, even if your job's service account has the appropriate role.

You can refer to this Troubleshoot Cloud Run issues document where it states different reasons for causing the 403 error and respective resolution steps.

For more information, you can refer to these Stack Overflow Link1 and Link2 which may help you.

huangapple
  • 本文由 发表于 2022年11月29日 17:42:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/74611944.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定