網頁

2023/6/29

GCP 建立應用程式存取資源的Service account憑證

在GCP console建立給應用程式來存取GCP資源的service account憑證(credential)。


建立Service account

前往[IAM & Admin],在左側選單點選[Service Accounts],然後在右側的[Service accounts]頁面點選[CREATE SERVICE ACCOUNT]。



在[Create service account]頁面,步驟一
[Service account name]欄位填入service account名稱;

點選[CREATE AND CONTINUE]往步驟二。



步驟二[Role]欄位這邊選擇[Owner]權限,即此service account有GCP的完全存取權。

點選[CONTINUE]往步驟三。



步驟三省略直接按[DONE]完成service account的建立。



到此便建立好給應用程式用的service account,而應用程式可透過service account的金鑰來通過GCP驗證並存取資源。


建立Service account key(credential)

進入建立好的service account詳細頁面,點選[KEYS]頁籤,在下方的[ADD KEY]選擇[Create new key]。



在[Create private key]彈窗的[Key type]選項選擇[JSON]格式。按[CREATE]建立。



Service account的key建立後會提示已自動下載到本機,根據上面的選擇是一份JSON檔。



Service account產生的key。



下載回來的service account key JSON檔內容如下。通常會將內容加密存放於資料庫,當應用程式需要存取GCP資源時就以此憑證來產生需要的client service物件。

Service account key JSON file

{
  "type": "service_account",
  "project_id": "tidal-mason-366907",
  "private_key_id": "1efc187e472e389aa62ec3074357e6ba3849cbea",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDRruESy4gm2Qhm\nesbzvC5Q/FCa5OoUXgZ2FFnyA6z3/D5a4xexXXxJwlRkduJGx/wQlejSsMbFMq5v\nrbEb4xBSq/cUFF6NvLlo5W8WEhdm4MV5RSBB7GhOJJi3sra9wdX6alEKnpbk7CP2\nlM482t+3+T3UQzECKRCZgJwkFvEtvY8AB4R4aHOtP5ueDYeOFKJaKxeGdKkEd\nmRcKu4WekFhmnU1RLyvVuAiw70S1pvV3hJSmjEatUiXDMwGlsMwMXaZQIdoBUbW6\nKIm2BPInf0c/0UImOWbSigTFkzou8qd3feHOiIGKI1C0JuQZUFs7uJ8ttLjre5bM\nNONNeHenAgMBAAECggEAKtMlwtnw18ZR0eRXh+YyK3Ys3EXOjRRbC3jCmgwoIonR\nDmz9JMtsHABljhM9yakEkTqcz5MtNY9RUxt4bxKj/c6DawVx/k7CK2tYkdBmGSvl\nCQyWNwCamQMecb49VmolUryuCpYzSVP1UG158PHe6UstVpHWi5NpgYBj43cQEQAc\nT9uwSAnErOc+1vk0n+S+X8eLpMl5TuIZhIflRw3m841rnbPfKAVfocbGAFFnTT7k\n1SoaxOfYFvAQfnCOlbZufZfcihKrMje34vebOY/gvwwaHccAAxKgzYCkyP3fVmdY\nKQjjlnOBR5FVDsDhoY3NOodeMFOh7lCop6yWAvihWQKBgQD1EsHzhowudPFICAt/\nm3KXWmsdAydEYbdoguvonWTWZb6wTC6m3oKhBspJGa5IEphsBdTAYsP5DVzB0xuj\ng6cqBrTc2CnFW7HYz9Bv10V1xcq/3qz7P8u7v1i9MUyG5dc/tnB6awYVum17Liay\nEpbR1Xxhtnpqk1ltERPgqPS1QwKBgQDbCC6OGakR6JTM/XTcTeNIBpf/v7asOFep\nGkHjh/VaS1hH0jkBOLF7u/eaPHmC2ZmebI/ylECf0B1WCvZRVSRFeLHehwlDbxHL\nOt+zLhSIZObxCH2xyxXTUDb0Wa5WVBdlrmdXTB3hqefkyMU5E00iphXSVA8E68Ym\nIQIISxHbzQKBgD4x3HbpFnpTw0f8gq6HzLUMhVJ/kl+QTPOBBk2qZATlHVewfcZr\ngctL5dpXYht4XKZNdIi+h+2Uro2h/cmph6rquMuzMCad9qyHUOaRQ1d4MtQutses\nkQ+8p9CbykgR2GaW7kSjFJA/F7nDJJ7ciNoHy+EgZkDV1EQRqXHCbxfxAoGAe5de\nTaiFEine7NyHuFfqy5WM5y7ScNNK41haHYrJ8wkAELLD7lhzKP/zvQYzJDkcdRo\nVUT6QjM4mniNDM+yK9Ey7JHd1EM0Ey0hVQXHaD8nYRKdellR827r021XRjclDKcg\ngM3efptU0m/HebE+cTKuVYRBBVHU+WbesrdJWHECgYACxE0jj7GDajCx4jAiXLwl\nmcH9S2144nhxAIyEUk26HZql/zBNmRmMfXuQOqnMhYwCu+QW/NLb4kfszpxHc5HA\nOAXpYkQQxbjoQM8PnHxOSeEDmFopc3kWDhqQw7ptV4SdoivnWWX2lf25Hq2iblIM\nOyqlsszx/Yu3FbyU7r40zoHg==\n-----END PRIVATE KEY-----\n",
  "client_email": "demo-service-account@tidal-mason-366907.iam.gserviceaccount.com",
  "client_id": "118395370168002137289",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/demo-service-account%40tidal-mason-366907.iam.gserviceaccount.com",
  "universe_domain": "googleapis.com"
}


沒有留言:

張貼留言