云 运行 使用用户帐户进行身份验证
cloud run authentication with user account
作为googledocumented, developers can use gcloud auth print-identity-token to generate a development-only id_token to authenticate to Cloud Run. If I base64 decode the resulting id_token, I can see the aud claim is set to 32555940559.apps.googleusercontent.com, which is the client_id of the google cloud sdk:
这是 service-to-service authentication, which says target_audience needs to be set to the url of the receiving service (e.g., https://xxxxx.run.app 中概述的规则的例外情况。aud 和 target_audience 是一回事吗?
最后,除了使用 googlecloudsdk(即成像 gcloud auth print-identity-token 不存在)之外,是否有其他方法可以使用用户帐户而不是服务帐户进行身份验证?
您可以使用以下命令:
gcloud auth application-default login
根据 documentation:
This command is useful when you are developing code that would
normally use a service account but need to run the code in a local
development environment where it's easier to provide user credentials.
是的,这是一个真正的问题。我在 IAM limitation and Service Account Credentials API 上写了 2 篇文章,并为 Google Auth Java 库提交了 2 个拉取请求(如果您有兴趣,我可以分享 link)。
直接而轻松,你做不到。我在我的文章中提供了解决方法,但还不足以停止我现在与 Google 的讨论。
作为googledocumented, developers can use gcloud auth print-identity-token to generate a development-only id_token to authenticate to Cloud Run. If I base64 decode the resulting id_token, I can see the aud claim is set to 32555940559.apps.googleusercontent.com, which is the client_id of the google cloud sdk:
这是 service-to-service authentication, which says target_audience needs to be set to the url of the receiving service (e.g., https://xxxxx.run.app 中概述的规则的例外情况。aud 和 target_audience 是一回事吗?
最后,除了使用 googlecloudsdk(即成像 gcloud auth print-identity-token 不存在)之外,是否有其他方法可以使用用户帐户而不是服务帐户进行身份验证?
您可以使用以下命令:
gcloud auth application-default login
根据 documentation:
This command is useful when you are developing code that would normally use a service account but need to run the code in a local development environment where it's easier to provide user credentials.
是的,这是一个真正的问题。我在 IAM limitation and Service Account Credentials API 上写了 2 篇文章,并为 Google Auth Java 库提交了 2 个拉取请求(如果您有兴趣,我可以分享 link)。
直接而轻松,你做不到。我在我的文章中提供了解决方法,但还不足以停止我现在与 Google 的讨论。