gcloud cli 使用 impersonate模拟 服务帐号
什么是模拟服务帐号
众所周知, gcloud 登陆的方式有两种
- 使用个人帐号, 通常是1个邮箱地址
- 使用一个service account 通常是1个 json key 文件
所谓模式服务帐号意思就是, 让操作人员用个人帐号登陆, 但是登陆后所有的操作都是基于另个service account的权限
为什么需要模拟服务帐号
- 让操作人员使用服务帐号所有的权限
- 让操作人员没有对应的jsonkey file也能使用service account
- 让所有的操作的日志记录的操作者 为服务帐号
所需要的权限
假如 我的个人帐号是jason1.pan@maplequad.com
要模拟的sa 是terraform@jason-hsbc@gserviceaccount.com
简单来讲就是让个人帐号具有sa的 roles/iam.serviceAccountTokenCreator 的权限
检查
gateman@MoreFine-S500: github$ gcloud iam service-accounts get-iam-policy terraform@jason-hsbc.iam.gserviceaccount.com --format=json
{"etag": "ACAB"
}可见, 并没有
方法有两种
- 就是分配该权限给个人帐号
- 让个人帐号拥有gcp project owner权限
这里用的是第一种
gateman@MoreFine-S500: github$ gcloud iam service-accounts add-iam-policy-binding terraform@jason-hsbc.iam.gserviceaccount.com --member="user:jason1.pan@maplequad.com" --role="roles/iam.serviceAccountTokenCreator" --project=jason-hsbc
Updated IAM policy for serviceAccount [terraform@jason-hsbc.iam.gserviceaccount.com].
bindings:
- members:- user:jason1.pan@maplequad.comrole: roles/iam.serviceAccountTokenCreator
etag: BwY-I5F2wxU=
version: 1
gateman@MoreFine-S500: github$ gcloud iam service-accounts get-iam-policy terraform@jason-hsbc.iam.gserviceaccount.com --format=json
{"bindings": [{"members": ["user:jason1.pan@maplequad.com"],"role": "roles/iam.serviceAccountTokenCreator"}],"etag": "BwY-I5F2wxU=","version": 1
}
如何模拟服务帐号
首先登陆个人 帐号
gcloud auth login
gateman@MoreFine-S500: github$ gcloud config list
[core]
account = jason1.pan@maplequad.com
disable_usage_reporting = False
project = jason-hsbcYour active configuration is: [default]使用gcloud config set auth/impersonate_service_account 命令模拟
gateman@MoreFine-S500: github$ gcloud config set auth/impersonate_service_account terraform@jason-hsbc.iam.gserviceaccount.com
Updated property [auth/impersonate_service_account].
gateman@MoreFine-S500: github$ gcloud config list
[auth]
impersonate_service_account = terraform@jason-hsbc.iam.gserviceaccount.com
[core]
account = jason1.pan@maplequad.com
disable_usage_reporting = False
project = jason-hsbcYour active configuration is: [default]
测试
gateman@MoreFine-S500: github$ gcloud compute instances list
WARNING: This command is using service account impersonation. All API calls will be executed as [terraform@jason-hsbc.iam.gserviceaccount.com].
WARNING: This command is using service account impersonation. All API calls will be executed as [terraform@jason-hsbc.iam.gserviceaccount.com].
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
instance-windows europe-west1-c c3-standard-4 192.168.4.2 TERMINATED
gke-my-cluster1-my-node-pool1-5cad8c5c-7bv1 europe-west2-a n2d-highmem-4 192.168.3.30 RUNNING
gke-my-cluster1-my-node-pool1-5cad8c5c-zjgf europe-west2-a n2d-highmem-4 192.168.3.29 RUNNING
tf-vpc0-subnet0-gpu-vm0 europe-west2-a n1-highmem-8 true 192.168.0.56 TERMINATED
gke-my-cluster1-my-node-pool1-f7d2eb2b-jf2k europe-west2-b n2d-highmem-4 192.168.3.31 RUNNING
gke-my-cluster1-my-node-pool1-f7d2eb2b-zb06 europe-west2-b n2d-highmem-4 192.168.3.33 RUNNING
gke-my-cluster1-my-node-pool1-8902d932-dchn europe-west2-c n2d-highmem-4 192.168.3.34 RUNNING
gke-my-cluster1-my-node-pool1-8902d932-x0kk europe-west2-c n2d-highmem-4 192.168.3.32 RUNNING
instance-1 europe-west2-c e2-standard-2 192.168.0.2 TERMINATED
instance-2 europe-west2-c e2-standard-4 true 192.168.0.3 TERMINATED
instance-20241201-042218 europe-west2-c n2d-highmem-4 192.168.0.54 TERMINATED
instance-3-jenkins europe-west2-c n1-standard-4 192.168.0.6 TERMINATED
k8s-master europe-west2-c n2d-highmem-2 true 192.168.0.3 34.142.35.168 TERMINATED
k8s-node0 europe-west2-c n2d-highmem-4 true 192.168.0.6 TERMINATED
k8s-node1 europe-west2-c n2d-highmem-4 true 192.168.0.44 TERMINATED
k8s-node2 europe-west2-c n2d-highmem-4 true 192.168.0.43 TERMINATED
k8s-node3 europe-west2-c n2d-highmem-4 true 192.168.0.45 TERMINATED
tf-vpc0-subnet0-main-server europe-west2-c n2d-standard-4 true 192.168.0.35 34.39.2.90 RUNNING
tf-vpc0-subnet0-mysql0 europe-west2-c e2-standard-2 true 192.168.0.42 RUNNING
tf-vpc0-subnet0-vm0 europe-west2-c n2-highmem-4 true 192.168.0.51 RUNNING
tf-vpc0-subnet0-vm1 europe-west2-c e2-small true 192.168.0.7 TERMINATED
tf-vpc0-subnet0-vm2 europe-west2-c e2-small true 192.168.0.27 TERMINATED
tf-vpc0-subnet0-vm20 europe-west2-c e2-small true 192.168.0.33 TERMINATED
tf-vpc0-subnet0-vm21 europe-west2-c e2-small true 192.168.0.193 TERMINATED
tf-vpc0-subnet0-vm22 europe-west2-c n2-highmem-4 true 192.168.0.192 TERMINATED
tf-vpc0-subnet0-vm3 europe-west2-c e2-small true 192.168.0.29 TERMINATED
tf-vpc0-subnet0-vpc1-subnet0-vm0 europe-west2-c e2-small true 192.168.0.9,192.168.8.3 TERMINATED
tf-vpc0-subnet1-vm0 europe-west2-c e2-small true 192.168.1.2 TERMINATED
tf-vpc0-subnet1-vm1 europe-west2-c e2-small true 192.168.1.6 TERMINATED
tf-vpc1-subnet0-vm0 europe-west2-c e2-small true 192.168.8.2 TERMINATED
题外:roles/iam.serviceAccountTokenCreator 和 roles/iam.serviceAccountUser的区别
roles/iam.serviceAccountTokenCreator 用于服务帐号模拟
而roles/iam.serviceAccountUser 用于资源绑定
例如当帐号a 想绑定帐号b到1个gcp 资源(例如vm的绑定帐号) 则a必须具有b的 roles/iam.serviceAccountUser 权限