1

当我从这里使用@google-cloud/storage Node.js 模块时,除了服务帐户密钥之外,是否还有其他身份验证/授权访问 Google Cloud Storage 的方法?我已经阅读了有关“工作负载身份联合”的信息,但对我来说,当我使用@google-cloud/storage库时,我似乎无法使用这种方法。我找不到任何合适的构造函数,只有这两个:

const {Storage} = require('@google-cloud/storage');
var storage = new Storage({
  projectId   : `my_google_project_id`,
  keyFilename : `my_google_key_file.json`   // service account key is inside of this file
});
// or this one:
var storage = new Storage();    // service account key is inside of file specified by environment variable GOOGLE_APPLICATION_CREDENTIALS

有什么建议吗?谢谢

4

1 回答 1

1

大多数 Google 客户端都支持类型为external_account的新密钥文件。以下演示如何创建此文件并设置应用程序默认凭据 (ADC) 以加载此文件。

要将 Workload Identity Federation 与 Google 客户端库一起使用,请将联合凭据保存到文件中,然后通过环境变量GOOGLE_APPLICATION_CREDENTIALS指定该文件。存储客户端将使用 ADC 并从环境中找到凭据。

AWS 示例:

# Generate an AWS configuration file.
gcloud iam workload-identity-pools create-cred-config \
    projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AWS_PROVIDER_ID \
    --service-account $SERVICE_ACCOUNT_EMAIL \
    --aws \
    --output-file /path/to/generated/config.json

Azure 的示例:

# Generate an Azure configuration file.
gcloud iam workload-identity-pools create-cred-config \
    projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AZURE_PROVIDER_ID \
    --service-account $SERVICE_ACCOUNT_EMAIL \
    --azure \
    --output-file /path/to/generated/config.json

注意:我在 Azure VM 上生成了我的凭据。我在上面的命令中添加了以下命令行选项:

--app-id-uri=https://iam.googleapis.com/projects/REDACTED/locations/global/workloadIdentityPools/pool-azure/providers/provider-id

输出文件值用于设置环境:

set GOOGLE_APPLICATION_CREDENTIALS=/path/to/generated/config.json

文件具有以下结构。此示例适用于 Azure:

{
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/REDACTED/locations/global/workloadIdentityPools/pool-azure/providers/provider-id",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "url": "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://iam.googleapis.com/projects/REDACTED/locations/global/workloadIdentityPools/pool-azure/providers/provider-id",
    "headers": {
      "Metadata": "True"
    },
    "format": {
      "type": "json",
      "subject_token_field_name": "access_token"
    }
  },
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/REDACTED@REDACTED.iam.gserviceaccount.com:generateAccessToken"
}

使用此样式创建客户端:

var storage = new Storage();
于 2021-08-24T04:51:43.790 回答