如何使用实例服务帐户为

时间:2019-12-18 14:26:54

标签: google-cloud-platform elixir google-cloud-storage

我正在使用signed-urls来使我的客户临时访问Google云存储对象
我有一个看起来像这样的服务帐户json:

{
  "type": "service_account",
  "project_id": "my-project",
  "private_key_id": "abcdef1234567890",
  "private_key": "-----BEGIN PRIVATE KEY-----\n<key...>\n-----END PRIVATE KEY-----\n",
  "client_email": "my-app@my-project.iam.gserviceaccount.com",
  "client_id": "1234567890",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-app%my-project.iam.gserviceaccount.com"
}

这是我如何创建用elixir编写的签名url-代码(来自gcs_signer lib的代码)

 def sign_url(private_key, client_email, bucket, object) do
    verb = "GET"
    md5_digest = ""
    content_type = ""
    expires = DateTime.utc_now() |> DateTime.to_unix() |> Kernel.+(1 * 3600)
    resource = "/#{bucket}/#{object}"

    signature = [verb, md5_digest, content_type, expires, resource]
                |> Enum.join("\n") |> generate_signature(private_key)

    url = "https://storage.googleapis.com#{resource}"
    qs = %{
           "GoogleAccessId" => client_email,
           "Expires" => expires,
           "Signature" => signature
         } |> URI.encode_query

    Enum.join([url, "?", qs])
  end

  defp generate_signature(string, private_key) do
    private_key = process_key(private_key)

    string
    |> :public_key.sign(:sha256, private_key)
    |> Base.encode64
  end

  defp process_key(private_key) do
    private_key
    |> :public_key.pem_decode
    |> (fn [x] -> x end).()
    |> :public_key.pem_entry_decode
    |> normalize_private_key
  end

  defp normalize_private_key(private_key) do
    # grab privateKey from the record tuple
    private_key
    |> elem(3)
    |> (fn pk -> :public_key.der_decode(:RSAPrivateKey, pk) end).()
  end

在这是我使用json文件中的private_key创建一个签名的URL

出于安全原因,我们移至service-accounts-for-instances,而不是使用json凭据

我的问题是当我没有JSON凭证时如何使用service-accounts-for-instances创建签名的URL?
我唯一拥有的是servie_account_email,它看起来像这样:my-app-gsa@my-project.iam.gserviceaccount.com
我应该使用signBlob API吗?如果可以,我的卷曲请求会如何?

2 个答案:

答案 0 :(得分:1)

我试图重现您的用例:

  1. 创建两个服务帐户:

    gcloud iam service-accounts create signblob --description signblob
gcloud iam service-accounts create signforme --description signforme
# signblob will sign for signforme

  2. 设置roles/iam.serviceAccountTokenCreator服务帐户的IAM角色(signblob):

    gcloud projects add-iam-policy-binding myproject --member signblob@myproject.iam.gserviceaccount.com --role roles/iam.serviceAccountTokenCreator

  3. 使用signblob服务将VM创建为服务帐户:

    gcloud compute instances create instance-10 --zone=us-central1-a --service-account=signblob@myproject.iam.gserviceaccount.com

  4. SSH到刚刚创建的实例:

    gcloud compute ssh instance-10 --zone=us-central1-a

  5. 在实例上创建文件:

    nano file
cat file
# This is a file

  6. 使用gcloud标志为signforme服务帐户使用--log-http工具对文件(blob)签名:

    gcloud iam service-accounts sign-blob --iam-account signblob-source@myproject.iam.gserviceaccount.com file output --log-http

  7. 输出:

     signed blob [file] as [output] for [signforme@myproject.iam.gserviceaccount.com]

这是我在之前创建的VM instance-10上运行的curl命令:

      curl --request POST 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/signblob-source%40myproject.iam.gserviceaccount.com:signBlob?prettyPrint=true&key=[API KEY]' --header 'Authorization: Bearer [ACCESS TOKEN]'  --header 'Accept: application/json'  --header 'Content-Type: application/json' --data '{"payload":"VGhpcyBpcyBhIGZpbGUgCg=="}'   --compressed

访问令牌为gcloud auth application-default print-access-token的地方

输出:

   {"keyId": ,"signedBlob":}

答案 1 :(得分:1)

这是我在elixir中的代码以以下格式返回加密的链接: https://storage.googleapis.com/my-bucket/my-file?Expires=1576437298&GoogleAccessId=my-gsa%40project.iam.gserviceaccount.com&Signature=FUgBzvfFCa0YAL
关注signBlob

的google api 
@base_url @https://storage.googleapis.com

def generate_encrypted_url() do
    gcp_service_account = "my-gsa@project.iam.gserviceaccount.com"
    bucket = "my-bucket", 
    object ="my-file"
    get_signed_url(gcp_service_account, bucket, object)
end



  def get_signed_url(gcp_service_account, bucket, object) do
    %Tesla.Client{pre: [{Tesla.Middleware.Headers, :call, [auth_headers]}]} = get_connection()
    headers = [{"Content-Type", "application/json"}] ++ auth_headers
    url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/#{gcp_service_account}:signBlob"
    expires = DateTime.utc_now() |> DateTime.to_unix() |> Kernel.+(1 * 3600)
    resource = "/#{bucket}/#{object}"
    signature = ["GET", "", "", expires, resource] |> Enum.join("\n") |> Base.encode64()
    body = %{"payload" => signature} |> Poison.encode!()
    {:ok, %{status_code: 200, body: result}} = HTTPoison.post(url, body, headers)

    %{"signedBlob" => signed_blob} = Poison.decode!(result)
    qs = %{
           "GoogleAccessId" => gcp_service_account,
           "Expires" => expires,
           "Signature" => signed_blob
         } |> URI.encode_query
    Enum.join(["#{@base_url}#{resource}", "?", qs])
  end

  def get_connection() do
    {:ok, token} = Goth.Token.for_scope("https://www.googleapis.com/auth/cloud-platform")
    GoogleApi.Storage.V1.Connection.new(token.token)
  end
相关问题
最新问题