admin管理员组文章数量:1353261
I don't have a lot of experience with GCP, so I am confused about how this is working in my case. I am trying to put a restriction on the Google Maps API (New Places API). The script looks like this, but it does not matter much—it's just for demonstration.
import asyncio
from google.api_core.client_options import ClientOptions
from google.maps import places_v1
import os
async def search_pizza_times_square():
# Create a client
# client_options = ClientOptions(api_key="")
# client = places_v1.PlacesAsyncClient(client_options=client_options)
client = places_v1.PlacesAsyncClient()
# Initialize request argument(s)
request = places_v1.AutocompletePlacesRequest(
input="Proto"
)
# Make the request
response = await client.autocomplete_places(request=request)
# Handle the response
for suggestion in response.suggestions:
if suggestion.place_prediction:
print(f"Place: {suggestion.place_prediction.text.text}")
print(f"Place ID: {suggestion.place_prediction.place_id}")
print("---")
if __name__ == "__main__":
credential_path = "my-com-f0d214b40429.json"
os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = credential_path
asyncio.run(search_pizza_times_square())
I understand that the Google Maps API is not a part of GCP and can't be restricted by IAM permissions inside GCP. So, I've issued an API key and restricted it by IP address. This works if I configure the client in the script to use the API key.
However, by default, if I do not provide an API key, the script will try to use ADC and will get credentials from the service account configured for the script application. To test whether the service account is forbidden from accessing the Google Maps API, I created a new test service account with zero assigned roles. My expectation was that with 0 roles, there would be 0 permissions. However, if I run the script using the credentials of that service account, I still have access to the Google Maps API. This confuses me. How is this possible?
The Internet suggests that permissions can also be granted through Google Workspace:
Security > API controls > Domain-wide delegation
I see some service users listed there, but they all have different Client IDs than my service account. So again, my expectation is that the service account should have 0 permissions.
The Policy Analyzer in GCP also returns an empty list of resources and permissions available to the service account.
In summary, my goal is to have a service account with tightly restricted permissions - both in GCP IAM permissions and in creating OAuth credentials with scopes that grant access to APIs that are not part of GCP.
How can I achieve this?
I don't have a lot of experience with GCP, so I am confused about how this is working in my case. I am trying to put a restriction on the Google Maps API (New Places API). The script looks like this, but it does not matter much—it's just for demonstration.
import asyncio
from google.api_core.client_options import ClientOptions
from google.maps import places_v1
import os
async def search_pizza_times_square():
# Create a client
# client_options = ClientOptions(api_key="")
# client = places_v1.PlacesAsyncClient(client_options=client_options)
client = places_v1.PlacesAsyncClient()
# Initialize request argument(s)
request = places_v1.AutocompletePlacesRequest(
input="Proto"
)
# Make the request
response = await client.autocomplete_places(request=request)
# Handle the response
for suggestion in response.suggestions:
if suggestion.place_prediction:
print(f"Place: {suggestion.place_prediction.text.text}")
print(f"Place ID: {suggestion.place_prediction.place_id}")
print("---")
if __name__ == "__main__":
credential_path = "my-com-f0d214b40429.json"
os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = credential_path
asyncio.run(search_pizza_times_square())
I understand that the Google Maps API is not a part of GCP and can't be restricted by IAM permissions inside GCP. So, I've issued an API key and restricted it by IP address. This works if I configure the client in the script to use the API key.
However, by default, if I do not provide an API key, the script will try to use ADC and will get credentials from the service account configured for the script application. To test whether the service account is forbidden from accessing the Google Maps API, I created a new test service account with zero assigned roles. My expectation was that with 0 roles, there would be 0 permissions. However, if I run the script using the credentials of that service account, I still have access to the Google Maps API. This confuses me. How is this possible?
The Internet suggests that permissions can also be granted through Google Workspace:
Security > API controls > Domain-wide delegation
I see some service users listed there, but they all have different Client IDs than my service account. So again, my expectation is that the service account should have 0 permissions.
The Policy Analyzer in GCP also returns an empty list of resources and permissions available to the service account.
In summary, my goal is to have a service account with tightly restricted permissions - both in GCP IAM permissions and in creating OAuth credentials with scopes that grant access to APIs that are not part of GCP.
How can I achieve this?
Share Improve this question asked Mar 31 at 18:13 RafRaf 68410 silver badges21 bronze badges 2 |1 Answer
Reset to default 0Blocking of Google Cloud service account from automatically creating OAuth credentials may require disabling its ability to issue OAuth tokens, removing any existing service account keys, and ensuring no alternative authentication methods are in place.
- Disable the service account from issuing OAuth tokens by running:
gcloud iam service-accounts keys disable KEY_ID \
--iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount \
--project=PROJECT_ID
- Next, remove any existing service account keys by listing them with:
gcloud iam service-accounts keys delete KEY_ID \
--iam-account=SA_NAME@PROJECT_ID.iam.gserviceaccount
- To prevent OAuth-based access, modify your script to use an API key instead:
from google.api_core.client_options import ClientOptions
from google.maps import places_v1
client_options = ClientOptions(api_key="YOUR_API_KEY")
client = places_v1.PlacesAsyncClient(client_options=client_options)
These steps ensure that your service account is restricted from using OAuth credentials while still allowing explicit authentication methods like API keys.
本文标签:
版权声明:本文标题:google cloud platform - How can I forbid a service account in GCP from automatically creating OAuth credentials? - Stack Overflo 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1743927964a2563314.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
https://www.googleapis/auth/cloud-platformand that this is also a default scope required by Places API ergo your Service Account is both authenticated and authorized. – DazWilkin Commented Mar 31 at 19:27auth/cloud-platformscope too and then IAM requires an appropriate identity*permission bindings to permit access. Here's the complete list of OAuth scopes by Google Service (note all services including Cloud are listed). – DazWilkin Commented Mar 31 at 19:30