使用工作负载身份联合认证 gcloud sdk

huangapple go评论57阅读模式
英文:

Authenticating gcloud sdk with workload identity federation

问题

我正在尝试使用gcloud auth login命令通过基于工作负载身份联合的方式来验证服务帐户,这是根据官方教程中所述的。尽管教程中提到服务帐户密钥和工作负载身份联合都适用于我的用例,但工作负载身份联合是使用凭证配置文件的首选方法。但我在尝试为我的用例生成文件时感到相当困惑,因为这样做需要我创建一个工作负载身份提供者,这些提供者被归类为以下类型之一:
AZURE,AWS,OIDC,SAML。我只是想使用WIF来验证来自我的终端的gcloud SDK,所以我不确定应该使用哪个类别。

这是否是一个可能的用例,还是我应该使用服务帐户密钥?

但我在尝试为我的用例生成文件时感到相当困惑,因为这样做需要我创建一个工作负载身份提供者,这些提供者被归类为以下类型之一:
AZURE,AWS,OIDC,SAML。我只是想使用WIF来验证来自我的终端的gcloud SDK,所以我不确定应该使用哪个类别。

这是否是一个可能的用例,还是我应该使用服务帐户密钥?

英文:

I am trying to authenticate a service account by gcloud auth login command using workload identity federation based on whats mentioned in this official tutorial. Even though the tutorial says both service account keys and workload identity federation works for my use case, WIF is the preferred route forward using credential configuration file. But I am quite confused trying to generate the file for my use case as doing so requires me to create a workload identity provider which are categorized to be among the following types:
AZURE,AWS,OIDC,SAML. I just want to use WIF to authenticate gcloud SDK from my terminal so I am not sure which category should I use.

Is this a possible use case or should I resort to use service account keys ?

But I am quite confused trying to generate the file for my use case as doing so requires me to create a workload identity provider which are categorized to be among the following types:
AZURE,AWS,OIDC,SAML. I just want to use WIF to authenticate gcloud SDK from my terminal so I am not sure which category should I use.

Is this a possible use case or should I resort to use service account keys ?

答案1

得分: 0

Workload Identity Federation(WIF) 是在多云环境和混合云环境中使用的,其中需要从一个云平台访问另一个云平台或从数据中心访问,因为服务跨多个平台提供并需要协调运行应用程序。

有多种方式可以将其他云提供商与GCP连接,您可以使用WIF来连接Amazon Web Services(AWS),也可以使用OpenID Connect(OIDC)或SAML 2.0来连接其他任何云提供商,比如Microsoft Azure。有关更多信息,请参考来源。 (来源: GCP 文档)

由于您正尝试从终端连接到gcloud SDK,您可以简单地使用您的凭证文件或gcloud authgcloud init命令来设置gcloud云SDK,并为用于身份验证的服务或用户帐户启用所需的角色和权限。这是访问您的gcp环境的最简单方式。JFYI,在**授权gcloud CLI文档(您正在参考的文档)中,他们使用了不同于WIF的凭证文件,因此如果您想要在不使用SA**(服务帐户)的情况下进行身份验证,您可以简单地遵循基于凭证文件的身份验证。

英文:

Workload Identity Federation(WIF), is used in multi-cloud environments and hybrid cloud environments where one needs access to one cloud platform from another cloud platform or from a data center as the services are catered across multiple platforms and needs coordination for running your application.

There are multiple ways to connect other cloud providers with GCP, you can use WIF for connecting with Amazon Web Services (AWS), you could use OpenID Connect (OIDC) or SAML 2.0 to connect with any other cloud providers, such as Microsoft Azure. Refer to the source for more information. (Source: GCP docs)

Since you are trying to connect to gcloud SDK from your terminal you can simply use your credential file or gcloud auth or gcloud init commands for setting up the gcloud cloud SDK and have necessary roles and permissions enabled for the service or user account which you are using for authentication. This is the simplest way to access your gcp environment. JFYI, in Authorize the gcloud CLI documentation(the doc which you were referring to) they are using the credential file which is different from WIF, so if you want to authenticate without using SA(service account) you can simply follow credential file based authentication.

huangapple
  • 本文由 发表于 2023年2月6日 09:23:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/75356621.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定