How do I authenticate to GCP using an uploaded (not generated) service account key?

WBOY
Release: 2024-02-09 08:21:12
forward
645 people have browsed it

如何使用上传(未生成)的服务帐户密钥向 GCP 进行身份验证?

php editor Strawberry will introduce you in detail how to use the uploaded service account key to authenticate Google Cloud Platform (GCP). Authentication is a very important step in the process of using GCP, and the service account key is the key to authentication. This article will explain to you how to upload the service account key and authenticate it correctly so that you can smoothly use various functions and services of GCP. Whether you are new to GCP or have some experience, this article will provide you with useful guidance and tips to ensure that you can complete the authentication process with ease. By reading this article, you will learn the steps and considerations for uploading service account keys, and how to correctly use these keys for authentication in GCP.

Question content

I am writing a service that requires different tenants to access GCP services. My microservices will be running on different hosts (no GCP). One of the limitations I'm facing is using a service account key to authorize api calls. The second constraint is that my microservice is responsible for generating the key pair for the service account and sharing the public key with the tenants so that they can upload it to their service account.

My current problem is that I can't find any documentation that explains how to authenticate to the GCP golang library using the key pair I have. All the documentation I've read always addresses service account key authentication, assuming that you will let GCP generate the key pair for you, and that you already have a json file with all the details you need.

Documents I have reviewed:

- https://cloud.google.com/docs/authentication/client-libraries#adc
- https://cloud.google.com/docs/authentication#service-accounts
- https://cloud.google.com/docs/authentication/provide-credentials-adc#local-key
- https://github.com/GoogleCloudPlatform/golang-samples/blob/main/auth/id_token_from_service_account.go
Copy after login

Google Libraries uses a mechanism called "Application Default Credentials" that allows all of its libraries to find credentials for authentication. Specifically, in this case, the ADC always requires the json file to get the details of the credentials.

The json file looks like this:

<code>{
    "type": "service_account",
    "project_id": "my-project",
    "private_key_id": "1ed3aae07f98f3e6da78ad308b41232133d006cf",
    "private_key": "-----BEGIN PRIVATE KEY-----\n...==\n-----END PRIVATE KEY-----\n",
    "client_email": "<EMAIL HERE>",
    "client_id": "1234567890102",
    "auth_uri": "<GOOGLE AUTH URI HERE>",
    "token_uri": "<GOOGLE TOKEN URI HERE>",
    "auth_provider_x509_cert_url": "<SOME GOOGLE URL HERE>",
    "client_x509_cert_url": "<MORE GOOGLE URL HERE>",
    "universe_domain": "googleapis.com"
}
</code>
Copy after login

So my question is, how do I build this json file from the generated key pair? If this is not possible (GCP limitation), then why am I able to upload the key pair? Can anyone point me to an example to help me resolve this situation?

Any help is greatly appreciated

I've reviewed all GCP official documentation, API reference, and Github script examples. None of them referenced the uploaded service account key

Workaround

It took me a while to get back to this issue. Thanks to @guillaume-blaquiere's answer, I started testing with the minimal required files.

Finally came up with this:

{
  "type": "service_account",
  "private_key": "<Your generated private_key.pem>",
  "client_email": "<service account email>",
}
Copy after login

These are the minimum properties required by the Google SDK to successfully authenticate to GCP

The private key must be the same one used to generate the public key uploaded to the GCP service account.

As far as golang code is concerned, you can put this information into a structure and then parse the structure into json:

type JSONFile struct {
  Type     string `json:"type"`
  PrivKey  []byte `json:"private_key"`
  Email    string `json:"client_email"`
}
Copy after login

Then:

file := JSONFile{
    Type:        "service_account",
    PrivKey:  "<PK bytes here>",
    Email: "<a href="https://www.php.cn/link/89fee0513b6668e555959f5dc23238e9" class="__cf_email__" data-cfemail="7d0e180f0b141e18501c1e1e120813095018101c14113d1a1e0d531e1210">[email&#160;protected]</a>",
}
result, err := json.Marshal(file)
if err != nil {
    panic(1)
}
credentials, err := google.CredentialsFromJSON(context.Background(), result, secretmanager.DefaultAuthScopes()...)
if err != nil {
    panic(1)
}
projectsClient, err := resourcemanager.NewProjectsClient(context.Background(), option.WithCredentials(credentials))
Copy after login

The above is the detailed content of How do I authenticate to GCP using an uploaded (not generated) service account key?. For more information, please follow other related articles on the PHP Chinese website!

source:stackoverflow.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template