gcloud cli 使用 impersonate模擬服務帳號

什么是模擬服務帳號

眾所周知， gcloud 登陸的方式有兩種

使用個人帳號，通常是1個郵箱地址
使用一個service account 通常是1個 json key 文件

所謂模式服務帳號意思就是，讓操作人員用個人帳號登陸，但是登陸后所有的操作都是基于另個service account的權限

為什么需要模擬服務帳號

讓操作人員使用服務帳號所有的權限
讓操作人員沒有對應的jsonkey file也能使用service account
讓所有的操作的日志記錄的操作者為服務帳號

所需要的權限

假如我的個人帳號是jason1.pan@maplequad.com
要模擬的sa 是terraform@jason-hsbc@gserviceaccount.com

簡單來講就是讓個人帳號具有sa的 roles/iam.serviceAccountTokenCreator 的權限

檢查

gateman@MoreFine-S500: github$ gcloud iam service-accounts get-iam-policy terraform@jason-hsbc.iam.gserviceaccount.com   --format=json
{"etag": "ACAB"
}

可見，并沒有

方法有兩種

就是分配該權限給個人帳號
讓個人帳號擁有gcp project owner權限

這里用的是第一種

gateman@MoreFine-S500: github$ gcloud iam service-accounts add-iam-policy-binding terraform@jason-hsbc.iam.gserviceaccount.com     --member="user:jason1.pan@maplequad.com"     --role="roles/iam.serviceAccountTokenCreator"     --project=jason-hsbc
Updated IAM policy for serviceAccount [terraform@jason-hsbc.iam.gserviceaccount.com].
bindings:
- members:- user:jason1.pan@maplequad.comrole: roles/iam.serviceAccountTokenCreator
etag: BwY-I5F2wxU=
version: 1
gateman@MoreFine-S500: github$ gcloud iam service-accounts get-iam-policy terraform@jason-hsbc.iam.gserviceaccount.com   --format=json
{"bindings": [{"members": ["user:jason1.pan@maplequad.com"],"role": "roles/iam.serviceAccountTokenCreator"}],"etag": "BwY-I5F2wxU=","version": 1
}

如何模擬服務帳號

首先登陸個人帳號

gcloud auth login

gateman@MoreFine-S500: github$ gcloud config list
[core]
account = jason1.pan@maplequad.com
disable_usage_reporting = False
project = jason-hsbcYour active configuration is: [default]

使用gcloud config set auth/impersonate_service_account 命令模擬

gateman@MoreFine-S500: github$ gcloud config set auth/impersonate_service_account terraform@jason-hsbc.iam.gserviceaccount.com
Updated property [auth/impersonate_service_account].
gateman@MoreFine-S500: github$ gcloud config list
[auth]
impersonate_service_account = terraform@jason-hsbc.iam.gserviceaccount.com
[core]
account = jason1.pan@maplequad.com
disable_usage_reporting = False
project = jason-hsbcYour active configuration is: [default]

測試

gateman@MoreFine-S500: github$ gcloud compute instances list
WARNING: This command is using service account impersonation. All API calls will be executed as [terraform@jason-hsbc.iam.gserviceaccount.com].
WARNING: This command is using service account impersonation. All API calls will be executed as [terraform@jason-hsbc.iam.gserviceaccount.com].
NAME                                         ZONE            MACHINE_TYPE    PREEMPTIBLE  INTERNAL_IP              EXTERNAL_IP    STATUS
instance-windows                             europe-west1-c  c3-standard-4                192.168.4.2                             TERMINATED
gke-my-cluster1-my-node-pool1-5cad8c5c-7bv1  europe-west2-a  n2d-highmem-4                192.168.3.30                            RUNNING
gke-my-cluster1-my-node-pool1-5cad8c5c-zjgf  europe-west2-a  n2d-highmem-4                192.168.3.29                            RUNNING
tf-vpc0-subnet0-gpu-vm0                      europe-west2-a  n1-highmem-8    true         192.168.0.56                            TERMINATED
gke-my-cluster1-my-node-pool1-f7d2eb2b-jf2k  europe-west2-b  n2d-highmem-4                192.168.3.31                            RUNNING
gke-my-cluster1-my-node-pool1-f7d2eb2b-zb06  europe-west2-b  n2d-highmem-4                192.168.3.33                            RUNNING
gke-my-cluster1-my-node-pool1-8902d932-dchn  europe-west2-c  n2d-highmem-4                192.168.3.34                            RUNNING
gke-my-cluster1-my-node-pool1-8902d932-x0kk  europe-west2-c  n2d-highmem-4                192.168.3.32                            RUNNING
instance-1                                   europe-west2-c  e2-standard-2                192.168.0.2                             TERMINATED
instance-2                                   europe-west2-c  e2-standard-4   true         192.168.0.3                             TERMINATED
instance-20241201-042218                     europe-west2-c  n2d-highmem-4                192.168.0.54                            TERMINATED
instance-3-jenkins                           europe-west2-c  n1-standard-4                192.168.0.6                             TERMINATED
k8s-master                                   europe-west2-c  n2d-highmem-2   true         192.168.0.3              34.142.35.168  TERMINATED
k8s-node0                                    europe-west2-c  n2d-highmem-4   true         192.168.0.6                             TERMINATED
k8s-node1                                    europe-west2-c  n2d-highmem-4   true         192.168.0.44                            TERMINATED
k8s-node2                                    europe-west2-c  n2d-highmem-4   true         192.168.0.43                            TERMINATED
k8s-node3                                    europe-west2-c  n2d-highmem-4   true         192.168.0.45                            TERMINATED
tf-vpc0-subnet0-main-server                  europe-west2-c  n2d-standard-4  true         192.168.0.35             34.39.2.90     RUNNING
tf-vpc0-subnet0-mysql0                       europe-west2-c  e2-standard-2   true         192.168.0.42                            RUNNING
tf-vpc0-subnet0-vm0                          europe-west2-c  n2-highmem-4    true         192.168.0.51                            RUNNING
tf-vpc0-subnet0-vm1                          europe-west2-c  e2-small        true         192.168.0.7                             TERMINATED
tf-vpc0-subnet0-vm2                          europe-west2-c  e2-small        true         192.168.0.27                            TERMINATED
tf-vpc0-subnet0-vm20                         europe-west2-c  e2-small        true         192.168.0.33                            TERMINATED
tf-vpc0-subnet0-vm21                         europe-west2-c  e2-small        true         192.168.0.193                           TERMINATED
tf-vpc0-subnet0-vm22                         europe-west2-c  n2-highmem-4    true         192.168.0.192                           TERMINATED
tf-vpc0-subnet0-vm3                          europe-west2-c  e2-small        true         192.168.0.29                            TERMINATED
tf-vpc0-subnet0-vpc1-subnet0-vm0             europe-west2-c  e2-small        true         192.168.0.9,192.168.8.3                 TERMINATED
tf-vpc0-subnet1-vm0                          europe-west2-c  e2-small        true         192.168.1.2                             TERMINATED
tf-vpc0-subnet1-vm1                          europe-west2-c  e2-small        true         192.168.1.6                             TERMINATED
tf-vpc1-subnet0-vm0                          europe-west2-c  e2-small        true         192.168.8.2                             TERMINATED

題外：roles/iam.serviceAccountTokenCreator 和 roles/iam.serviceAccountUser的區別

roles/iam.serviceAccountTokenCreator 用于服務帳號模擬

而roles/iam.serviceAccountUser 用于資源綁定

例如當帳號a 想綁定帳號b到1個gcp 資源（例如vm的綁定帳號）則a必須具有b的 roles/iam.serviceAccountUser 權限

本文來自互聯網用戶投稿，該文觀點僅代表作者本人，不代表本站立場。本站僅提供信息存儲空間服務，不擁有所有權，不承擔相關法律責任。
如若轉載，請注明出處：http://www.pswp.cn/bicheng/95971.shtml
繁體地址，請注明出處：http://hk.pswp.cn/bicheng/95971.shtml
英文地址，請注明出處：http://en.pswp.cn/bicheng/95971.shtml

如若內容造成侵權/違法違規/事實不符，請聯系多彩編程網進行投訴反饋email:809451989@qq.com，一經查實，立即刪除！