googlecloudstorage: update docs on service account access tokens

This commit is contained in:
Anthony Metzidis 2024-11-18 17:36:25 -08:00 committed by Nick Craig-Wood
parent acd5a893e2
commit 1b68492c85

View file

@ -201,6 +201,53 @@ the rclone config file, you can set `service_account_credentials` with
the actual contents of the file instead, or set the equivalent the actual contents of the file instead, or set the equivalent
environment variable. environment variable.
### Service Account Authentication with Access Tokens
Another option for service account authentication is to use access tokens via *gcloud impersonate-service-account*. Access tokens protect security by avoiding the use of the JSON
key file, which can be breached. They also bypass oauth login flow, which is simpler
on remote VMs that lack a web browser.
If you already have a working service account, skip to step 3.
#### 1. Create a service account using
gcloud iam service-accounts create gcs-read-only
You can re-use an existing service account as well (like the one created above)
#### 2. Attach a Viewer (read-only) or User (read-write) role to the service account
$ PROJECT_ID=my-project
$ gcloud --verbose iam service-accounts add-iam-policy-binding \
gcs-read-only@${PROJECT_ID}.iam.gserviceaccount.com \
--member=serviceAccount:gcs-read-only@${PROJECT_ID}.iam.gserviceaccount.com \
--role=roles/storage.objectViewer
Use the Google Cloud console to identify a limited role. Some relevant pre-defined roles:
* *roles/storage.objectUser* -- read-write access but no admin privileges
* *roles/storage.objectViewer* -- read-only access to objects
* *roles/storage.admin* -- create buckets & administrative roles
#### 3. Get a temporary access key for the service account
$ gcloud auth application-default print-access-token \
--impersonate-service-account \
dev-gcloud-go@${PROJECT_ID}.iam.gserviceaccount.com
ya29.c.c0ASRK0GbAFEewXD [truncated]
#### 4. update rclone.conf
find `{access_token": "xxx"}` and replace the value with the access token from step 3
#### 5. Run rclone as usual
rclone ls dev-gcs:${MY_BUCKET}/
### More Info on Service Accounts
* [Official GCS Docs](https://cloud.google.com/compute/docs/access/service-accounts)
* [Guide on Service Accounts using Key Files (less secure, but similar concepts)](https://forum.rclone.org/t/access-using-google-service-account/24822/2)
### Anonymous Access ### Anonymous Access
For downloads of objects that permit public access you can configure rclone For downloads of objects that permit public access you can configure rclone