googlecloudstorage: update docs on service account access tokens
This commit is contained in:
parent
acd5a893e2
commit
1b68492c85
1 changed files with 47 additions and 0 deletions
|
@ -201,6 +201,53 @@ the rclone config file, you can set `service_account_credentials` with
|
||||||
the actual contents of the file instead, or set the equivalent
|
the actual contents of the file instead, or set the equivalent
|
||||||
environment variable.
|
environment variable.
|
||||||
|
|
||||||
|
### Service Account Authentication with Access Tokens
|
||||||
|
|
||||||
|
Another option for service account authentication is to use access tokens via *gcloud impersonate-service-account*. Access tokens protect security by avoiding the use of the JSON
|
||||||
|
key file, which can be breached. They also bypass oauth login flow, which is simpler
|
||||||
|
on remote VMs that lack a web browser.
|
||||||
|
|
||||||
|
If you already have a working service account, skip to step 3.
|
||||||
|
|
||||||
|
#### 1. Create a service account using
|
||||||
|
|
||||||
|
gcloud iam service-accounts create gcs-read-only
|
||||||
|
|
||||||
|
You can re-use an existing service account as well (like the one created above)
|
||||||
|
|
||||||
|
#### 2. Attach a Viewer (read-only) or User (read-write) role to the service account
|
||||||
|
$ PROJECT_ID=my-project
|
||||||
|
$ gcloud --verbose iam service-accounts add-iam-policy-binding \
|
||||||
|
gcs-read-only@${PROJECT_ID}.iam.gserviceaccount.com \
|
||||||
|
--member=serviceAccount:gcs-read-only@${PROJECT_ID}.iam.gserviceaccount.com \
|
||||||
|
--role=roles/storage.objectViewer
|
||||||
|
|
||||||
|
Use the Google Cloud console to identify a limited role. Some relevant pre-defined roles:
|
||||||
|
|
||||||
|
* *roles/storage.objectUser* -- read-write access but no admin privileges
|
||||||
|
* *roles/storage.objectViewer* -- read-only access to objects
|
||||||
|
* *roles/storage.admin* -- create buckets & administrative roles
|
||||||
|
|
||||||
|
#### 3. Get a temporary access key for the service account
|
||||||
|
|
||||||
|
$ gcloud auth application-default print-access-token \
|
||||||
|
--impersonate-service-account \
|
||||||
|
dev-gcloud-go@${PROJECT_ID}.iam.gserviceaccount.com
|
||||||
|
|
||||||
|
ya29.c.c0ASRK0GbAFEewXD [truncated]
|
||||||
|
|
||||||
|
#### 4. update rclone.conf
|
||||||
|
find `{access_token": "xxx"}` and replace the value with the access token from step 3
|
||||||
|
|
||||||
|
#### 5. Run rclone as usual
|
||||||
|
|
||||||
|
rclone ls dev-gcs:${MY_BUCKET}/
|
||||||
|
|
||||||
|
### More Info on Service Accounts
|
||||||
|
|
||||||
|
* [Official GCS Docs](https://cloud.google.com/compute/docs/access/service-accounts)
|
||||||
|
* [Guide on Service Accounts using Key Files (less secure, but similar concepts)](https://forum.rclone.org/t/access-using-google-service-account/24822/2)
|
||||||
|
|
||||||
### Anonymous Access
|
### Anonymous Access
|
||||||
|
|
||||||
For downloads of objects that permit public access you can configure rclone
|
For downloads of objects that permit public access you can configure rclone
|
||||||
|
|
Loading…
Reference in a new issue