问题
I am using signed-urls to give my clients temporary access to google cloud storage objects
I have a service account json which looks like this:
{
"type": "service_account",
"project_id": "my-project",
"private_key_id": "abcdef1234567890",
"private_key": "-----BEGIN PRIVATE KEY-----\n<key...>\n-----END PRIVATE KEY-----\n",
"client_email": "my-app@my-project.iam.gserviceaccount.com",
"client_id": "1234567890",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-app%my-project.iam.gserviceaccount.com"
}
and here is how I create the signed url -code written in elixir (code from gcs_signer lib)
def sign_url(private_key, client_email, bucket, object) do
verb = "GET"
md5_digest = ""
content_type = ""
expires = DateTime.utc_now() |> DateTime.to_unix() |> Kernel.+(1 * 3600)
resource = "/#{bucket}/#{object}"
signature = [verb, md5_digest, content_type, expires, resource]
|> Enum.join("\n") |> generate_signature(private_key)
url = "https://storage.googleapis.com#{resource}"
qs = %{
"GoogleAccessId" => client_email,
"Expires" => expires,
"Signature" => signature
} |> URI.encode_query
Enum.join([url, "?", qs])
end
defp generate_signature(string, private_key) do
private_key = process_key(private_key)
string
|> :public_key.sign(:sha256, private_key)
|> Base.encode64
end
defp process_key(private_key) do
private_key
|> :public_key.pem_decode
|> (fn [x] -> x end).()
|> :public_key.pem_entry_decode
|> normalize_private_key
end
defp normalize_private_key(private_key) do
# grab privateKey from the record tuple
private_key
|> elem(3)
|> (fn pk -> :public_key.der_decode(:RSAPrivateKey, pk) end).()
end
in this was I create a signed url using the private_key from the json file
for security reasons we moved to service-accounts-for-instances instead of using json credentials
my question is how to create a signed url when using service-accounts-for-instances when I don't have a json credential?
the only thing I have is the servie_account_email which look like this: my-app-gsa@my-project.iam.gserviceaccount.com
Should I use the signBlob api? if so how would my curl requests look like?
回答1:
I tried to reproduce your use case:
Create two service accounts:
gcloud iam service-accounts create signblob --description signblob gcloud iam service-accounts create signforme --description signforme # signblob will sign for signformeSet the IAM role (
roles/iam.serviceAccountTokenCreator) for thesignblobservice account:gcloud projects add-iam-policy-binding myproject --member signblob@myproject.iam.gserviceaccount.com --role roles/iam.serviceAccountTokenCreatorCreate a VM as a service account using
signblobservice:gcloud compute instances create instance-10 --zone=us-central1-a --service-account=signblob@myproject.iam.gserviceaccount.comSSH to the instances just created:
gcloud compute ssh instance-10 --zone=us-central1-aCreate a file on the instance:
nano file cat file # This is a fileSign the file (blob) using
gcloudtool forsignformeservice account using--log-httpflag:gcloud iam service-accounts sign-blob --iam-account signblob-source@myproject.iam.gserviceaccount.com file output --log-httpOutput:
signed blob [file] as [output] for [signforme@myproject.iam.gserviceaccount.com]
This is the curl command that I run on the VM instance-10 created before:
curl --request POST 'https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/signblob-source%40myproject.iam.gserviceaccount.com:signBlob?prettyPrint=true&key=[API KEY]' --header 'Authorization: Bearer [ACCESS TOKEN]' --header 'Accept: application/json' --header 'Content-Type: application/json' --data '{"payload":"VGhpcyBpcyBhIGZpbGUgCg=="}' --compressed
Where ACCESS TOKEN is gcloud auth application-default print-access-token
Output:
{"keyId": ,"signedBlob":}
回答2:
here is my code in elixir returns an encrypted link in the following format:
https://storage.googleapis.com/my-bucket/my-file?Expires=1576437298&GoogleAccessId=my-gsa%40project.iam.gserviceaccount.com&Signature=FUgBzvfFCa0YAL
following google api for signBlob
@base_url @https://storage.googleapis.com
def generate_encrypted_url() do
gcp_service_account = "my-gsa@project.iam.gserviceaccount.com"
bucket = "my-bucket",
object ="my-file"
get_signed_url(gcp_service_account, bucket, object)
end
def get_signed_url(gcp_service_account, bucket, object) do
%Tesla.Client{pre: [{Tesla.Middleware.Headers, :call, [auth_headers]}]} = get_connection()
headers = [{"Content-Type", "application/json"}] ++ auth_headers
url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/#{gcp_service_account}:signBlob"
expires = DateTime.utc_now() |> DateTime.to_unix() |> Kernel.+(1 * 3600)
resource = "/#{bucket}/#{object}"
signature = ["GET", "", "", expires, resource] |> Enum.join("\n") |> Base.encode64()
body = %{"payload" => signature} |> Poison.encode!()
{:ok, %{status_code: 200, body: result}} = HTTPoison.post(url, body, headers)
%{"signedBlob" => signed_blob} = Poison.decode!(result)
qs = %{
"GoogleAccessId" => gcp_service_account,
"Expires" => expires,
"Signature" => signed_blob
} |> URI.encode_query
Enum.join(["#{@base_url}#{resource}", "?", qs])
end
def get_connection() do
{:ok, token} = Goth.Token.for_scope("https://www.googleapis.com/auth/cloud-platform")
GoogleApi.Storage.V1.Connection.new(token.token)
end
来源:https://stackoverflow.com/questions/59394149/how-to-generate-signed-url-for-google-cloud-storage-objects-using-service-accoun