如何使用 Cloud Function 执行服务帐户管理操作(创建、列出、删除)?
How to perform service account admin operations(create, list, delete) by using Cloud Function?
我想使用云功能创建、列出和删除服务帐户密钥。
我们确实有客户端库可以在 python 中执行这些操作,但我如何才能使用关联的服务帐户对云函数进行身份验证以执行这些操作?
官方文档中的示例代码如下:
import os
from google.oauth2 import service_account
import googleapiclient.discovery
def list_keys(service_account_email):
"""Lists all keys for a service account."""
credentials = service_account.Credentials.from_service_account_file(
filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
scopes=['https://www.googleapis.com/auth/cloud-platform'])
service = googleapiclient.discovery.build(
'iam', 'v1', credentials=credentials)
keys = service.projects().serviceAccounts().keys().list(
name='projects/-/serviceAccounts/' + service_account_email).execute()
for key in keys['keys']:
print('Key: ' + key['name'])
在此代码中,我想使用关联的服务帐户而不是下面的代码段。
credentials = service_account.Credentials.from_service_account_file(
filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
scopes=['https://www.googleapis.com/auth/cloud-platform'])
如有任何建议,我们将不胜感激。
当它们是 运行 时,默认情况下 Cloud Functions 使用 App Engine 默认服务帐户 (PROJECT_ID@appspot.gserviceaccount.com),如 GCP documentation:
中所示
At runtime, Cloud Functions defaults to using the App Engine default service account (PROJECT_ID@appspot.gserviceaccount.com), which has the Editor role on the project. You can change the roles of this service account to limit or extend the permissions for your running functions. You can also change which service account is used by providing a non-default service account on a per-function basis.
尽管如有必要,您可以 provide a non-default service account on a per-function basis(由于您需要的权限的性质,按照这种方法创建一个特定的服务帐户而不是使用默认的 App Engine 帐户可能会很方便).
要使用此服务帐户,请在构建服务时删除 credentials 参数:
service = googleapiclient.discovery.build('iam', 'v1')
要执行所需的服务帐户管理操作,必须为 运行 Cloud Function 配置的服务帐户授予 roles/iam.serviceAccountAdmin IAM 角色。请参阅相关 documentation.
我想使用云功能创建、列出和删除服务帐户密钥。
我们确实有客户端库可以在 python 中执行这些操作,但我如何才能使用关联的服务帐户对云函数进行身份验证以执行这些操作?
官方文档中的示例代码如下:
import os
from google.oauth2 import service_account
import googleapiclient.discovery
def list_keys(service_account_email):
"""Lists all keys for a service account."""
credentials = service_account.Credentials.from_service_account_file(
filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
scopes=['https://www.googleapis.com/auth/cloud-platform'])
service = googleapiclient.discovery.build(
'iam', 'v1', credentials=credentials)
keys = service.projects().serviceAccounts().keys().list(
name='projects/-/serviceAccounts/' + service_account_email).execute()
for key in keys['keys']:
print('Key: ' + key['name'])
在此代码中,我想使用关联的服务帐户而不是下面的代码段。
credentials = service_account.Credentials.from_service_account_file(
filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
scopes=['https://www.googleapis.com/auth/cloud-platform'])
如有任何建议,我们将不胜感激。
当它们是 运行 时,默认情况下 Cloud Functions 使用 App Engine 默认服务帐户 (PROJECT_ID@appspot.gserviceaccount.com),如 GCP documentation:
At runtime, Cloud Functions defaults to using the App Engine default service account (PROJECT_ID@appspot.gserviceaccount.com), which has the Editor role on the project. You can change the roles of this service account to limit or extend the permissions for your running functions. You can also change which service account is used by providing a non-default service account on a per-function basis.
尽管如有必要,您可以 provide a non-default service account on a per-function basis(由于您需要的权限的性质,按照这种方法创建一个特定的服务帐户而不是使用默认的 App Engine 帐户可能会很方便).
要使用此服务帐户,请在构建服务时删除 credentials 参数:
service = googleapiclient.discovery.build('iam', 'v1')
要执行所需的服务帐户管理操作,必须为 运行 Cloud Function 配置的服务帐户授予 roles/iam.serviceAccountAdmin IAM 角色。请参阅相关 documentation.