具有工作负载身份的 Google Cloud Java SDK?

问题描述 投票:0回答:2

尝试弄清楚如何从 GKE 集群内使用存储 API 进行身份验证。

代码:

Storage storage = StorageOptions.newBuilder()
  .setCredentials(ServiceAccountCredentials.getApplicationDefault())
  .setProjectId(gcpProjectId)
  .build().getService();


getApplicationDefault()
已记录为使用这些方法通过 API 进行身份验证:

  1. {@code GOOGLE_APPLICATION_CREDENTIALS} 环境变量指向的凭据文件
  2. Google Cloud SDK {@code gcloud auth application-default login} 命令提供的凭据
  3. Google App Engine 内置凭据
  4. Google Cloud Shell 内置凭据
  5. Google 计算引擎内置凭据

应用程序正在使用 GCP 工作负载身份功能,因此应用程序(集群内)服务帐户注释为:

serviceAccount.annotations.iam.gke.io/gcp-service-account: [email protected]

现在对存储帐户的调用失败,并出现以下错误:

{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Primary: /namespaces/my-project.svc.id.goog with additional claims does not have storage.objects.create access to the Google Cloud Storage object.",
    "reason" : "forbidden"
  } ],
  "message" : "Primary: /namespaces/my-project.svc.id.goog with additional claims does not have storage.objects.create access to the Google Cloud Storage object."
}

这让我认为工作负载身份无法正常工作。我希望收到一条有关我带注释的服务帐户的错误消息,而不是默认的错误消息。

还有什么我应该做的吗?

java spring kubernetes google-cloud-platform google-kubernetes-engine
2个回答
3
投票

除了注释语法之外,部分答案是,就像我一样,您可能没有仔细查看文档中的这一部分:

    gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]" \
  GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

注意

PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]
部分。他们没有提供语法示例,但在我的地形中看起来像这样。

resource "google_project_iam_member" "app-binding-2" {
  role   = "roles/iam.workloadIdentityUser"
  member = "serviceAccount:${local.ws_vars["project-id"]}.svc.id.goog[mynamespace/myk8ssaname]"
}

奇怪的是,即使命名空间不存在,你也可以在地形中绑定它,更不用说服务帐户了。因此您可以在部署之前先运行它。

1
投票

注释有误。而不是:

serviceAccount.annotations.iam.gke.io/gcp-service-account: [email protected]

一定是

iam.gke.io/gcp-service-account: [email protected]

现在错误消息还显示应用程序正在使用工作负载身份:

java.io.IOException: Unexpected Error code 403 trying to get security access token from Compute Engine metadata for the default service account: Unable to generate access token; IAM returned 403 Forbidden: The caller does not have permission
This error could be caused by a missing IAM policy binding on the target IAM service account.
For more information, refer to the Workload Identity documentation:
    https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#creating_a_relationship_between_ksas_and_gsas
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.