在GCP console建立給應用程式來存取GCP資源的service account憑證(credential)。
建立Service account
前往[IAM & Admin],在左側選單點選[Service Accounts],然後在右側的[Service accounts]頁面點選[CREATE SERVICE ACCOUNT]。
在[Create service account]頁面,步驟一
[Service account name]欄位填入service account名稱;
點選[CREATE AND CONTINUE]往步驟二。
步驟二[Role]欄位這邊選擇[Owner]權限,即此service account有GCP的完全存取權。
點選[CONTINUE]往步驟三。
步驟三省略直接按[DONE]完成service account的建立。
到此便建立好給應用程式用的service account,而應用程式可透過service account的金鑰來通過GCP驗證並存取資源。
建立Service account key(credential)
進入建立好的service account詳細頁面,點選[KEYS]頁籤,在下方的[ADD KEY]選擇[Create new key]。
在[Create private key]彈窗的[Key type]選項選擇[JSON]格式。按[CREATE]建立。
Service account的key建立後會提示已自動下載到本機,根據上面的選擇是一份JSON檔。
Service account產生的key。
下載回來的service account key JSON檔內容如下。通常會將內容加密存放於資料庫,當應用程式需要存取GCP資源時就以此憑證來產生需要的client service物件。
Service account key JSON file
{
"type": "service_account",
"project_id": "tidal-mason-366907",
"private_key_id": "1efc187e472e389aa62ec3074357e6ba3849cbea",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDRruESy4gm2Qhm\nesbzvC5Q/FCa5OoUXgZ2FFnyA6z3/D5a4xexXXxJwlRkduJGx/wQlejSsMbFMq5v\nrbEb4xBSq/cUFF6NvLlo5W8WEhdm4MV5RSBB7GhOJJi3sra9wdX6alEKnpbk7CP2\nlM482t+3+T3UQzECKRCZgJwkFvEtvY8AB4R4aHOtP5ueDYeOFKJaKxeGdKkEd\nmRcKu4WekFhmnU1RLyvVuAiw70S1pvV3hJSmjEatUiXDMwGlsMwMXaZQIdoBUbW6\nKIm2BPInf0c/0UImOWbSigTFkzou8qd3feHOiIGKI1C0JuQZUFs7uJ8ttLjre5bM\nNONNeHenAgMBAAECggEAKtMlwtnw18ZR0eRXh+YyK3Ys3EXOjRRbC3jCmgwoIonR\nDmz9JMtsHABljhM9yakEkTqcz5MtNY9RUxt4bxKj/c6DawVx/k7CK2tYkdBmGSvl\nCQyWNwCamQMecb49VmolUryuCpYzSVP1UG158PHe6UstVpHWi5NpgYBj43cQEQAc\nT9uwSAnErOc+1vk0n+S+X8eLpMl5TuIZhIflRw3m841rnbPfKAVfocbGAFFnTT7k\n1SoaxOfYFvAQfnCOlbZufZfcihKrMje34vebOY/gvwwaHccAAxKgzYCkyP3fVmdY\nKQjjlnOBR5FVDsDhoY3NOodeMFOh7lCop6yWAvihWQKBgQD1EsHzhowudPFICAt/\nm3KXWmsdAydEYbdoguvonWTWZb6wTC6m3oKhBspJGa5IEphsBdTAYsP5DVzB0xuj\ng6cqBrTc2CnFW7HYz9Bv10V1xcq/3qz7P8u7v1i9MUyG5dc/tnB6awYVum17Liay\nEpbR1Xxhtnpqk1ltERPgqPS1QwKBgQDbCC6OGakR6JTM/XTcTeNIBpf/v7asOFep\nGkHjh/VaS1hH0jkBOLF7u/eaPHmC2ZmebI/ylECf0B1WCvZRVSRFeLHehwlDbxHL\nOt+zLhSIZObxCH2xyxXTUDb0Wa5WVBdlrmdXTB3hqefkyMU5E00iphXSVA8E68Ym\nIQIISxHbzQKBgD4x3HbpFnpTw0f8gq6HzLUMhVJ/kl+QTPOBBk2qZATlHVewfcZr\ngctL5dpXYht4XKZNdIi+h+2Uro2h/cmph6rquMuzMCad9qyHUOaRQ1d4MtQutses\nkQ+8p9CbykgR2GaW7kSjFJA/F7nDJJ7ciNoHy+EgZkDV1EQRqXHCbxfxAoGAe5de\nTaiFEine7NyHuFfqy5WM5y7ScNNK41haHYrJ8wkAELLD7lhzKP/zvQYzJDkcdRo\nVUT6QjM4mniNDM+yK9Ey7JHd1EM0Ey0hVQXHaD8nYRKdellR827r021XRjclDKcg\ngM3efptU0m/HebE+cTKuVYRBBVHU+WbesrdJWHECgYACxE0jj7GDajCx4jAiXLwl\nmcH9S2144nhxAIyEUk26HZql/zBNmRmMfXuQOqnMhYwCu+QW/NLb4kfszpxHc5HA\nOAXpYkQQxbjoQM8PnHxOSeEDmFopc3kWDhqQw7ptV4SdoivnWWX2lf25Hq2iblIM\nOyqlsszx/Yu3FbyU7r40zoHg==\n-----END PRIVATE KEY-----\n",
"client_email": "demo-service-account@tidal-mason-366907.iam.gserviceaccount.com",
"client_id": "118395370168002137289",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/demo-service-account%40tidal-mason-366907.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
}
沒有留言:
張貼留言