googlecloudstorage: update docs on service account access tokens
This commit is contained in:
parent
acd5a893e2
commit
1b68492c85
1 changed files with 47 additions and 0 deletions
|
@ -201,6 +201,53 @@ the rclone config file, you can set `service_account_credentials` with
|
|||
the actual contents of the file instead, or set the equivalent
|
||||
environment variable.
|
||||
|
||||
### Service Account Authentication with Access Tokens
|
||||
|
||||
Another option for service account authentication is to use access tokens via *gcloud impersonate-service-account*. Access tokens protect security by avoiding the use of the JSON
|
||||
key file, which can be breached. They also bypass oauth login flow, which is simpler
|
||||
on remote VMs that lack a web browser.
|
||||
|
||||
If you already have a working service account, skip to step 3.
|
||||
|
||||
#### 1. Create a service account using
|
||||
|
||||
gcloud iam service-accounts create gcs-read-only
|
||||
|
||||
You can re-use an existing service account as well (like the one created above)
|
||||
|
||||
#### 2. Attach a Viewer (read-only) or User (read-write) role to the service account
|
||||
$ PROJECT_ID=my-project
|
||||
$ gcloud --verbose iam service-accounts add-iam-policy-binding \
|
||||
gcs-read-only@${PROJECT_ID}.iam.gserviceaccount.com \
|
||||
--member=serviceAccount:gcs-read-only@${PROJECT_ID}.iam.gserviceaccount.com \
|
||||
--role=roles/storage.objectViewer
|
||||
|
||||
Use the Google Cloud console to identify a limited role. Some relevant pre-defined roles:
|
||||
|
||||
* *roles/storage.objectUser* -- read-write access but no admin privileges
|
||||
* *roles/storage.objectViewer* -- read-only access to objects
|
||||
* *roles/storage.admin* -- create buckets & administrative roles
|
||||
|
||||
#### 3. Get a temporary access key for the service account
|
||||
|
||||
$ gcloud auth application-default print-access-token \
|
||||
--impersonate-service-account \
|
||||
dev-gcloud-go@${PROJECT_ID}.iam.gserviceaccount.com
|
||||
|
||||
ya29.c.c0ASRK0GbAFEewXD [truncated]
|
||||
|
||||
#### 4. update rclone.conf
|
||||
find `{access_token": "xxx"}` and replace the value with the access token from step 3
|
||||
|
||||
#### 5. Run rclone as usual
|
||||
|
||||
rclone ls dev-gcs:${MY_BUCKET}/
|
||||
|
||||
### More Info on Service Accounts
|
||||
|
||||
* [Official GCS Docs](https://cloud.google.com/compute/docs/access/service-accounts)
|
||||
* [Guide on Service Accounts using Key Files (less secure, but similar concepts)](https://forum.rclone.org/t/access-using-google-service-account/24822/2)
|
||||
|
||||
### Anonymous Access
|
||||
|
||||
For downloads of objects that permit public access you can configure rclone
|
||||
|
|
Loading…
Reference in a new issue