Bitbucket 管道中的 GCP OIDC 集成问题

问题描述 投票:0回答:1

我正在尝试使用 OIDC 在 Bitbucket Pipelines 和 GCP 之间建立集成,以访问 GCP 资源(例如,列出 GCP 存储桶)。尽管遵循了Atlassian 社区指南中概述的所有步骤,我还是遇到了以下错误:

ERROR: (gcloud.storage.buckets.list) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials', '{\n  "error": {\n    "code": 403,\n    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",\n    "status": "PERMISSION_DENIED",\n    "details": [\n      {\n        "@type": "type.googleapis.com/google.rpc.ErrorInfo",\n        "reason": "IAM_PERMISSION_DENIED",\n        "domain": "iam.googleapis.com",\n        "metadata": {\n          "permission": "iam.serviceAccounts.getAccessToken"\n        }\n      }\n    ]\n  }\n}\n')

我遵循的步骤:

  1. 在 GCP 中创建工作负载身份池:

    gcloud beta iam workload-identity-pools create bitbucket-pipelines-oidc-demo \
  --location="global" \
  --description="A workload identity pool for Bitbucket Pipelines" \
  --display-name="bitbucket-pipelines-oidc-demo"

  2. 创建了 OIDC 提供商

    gcloud beta iam workload-identity-pools providers create-oidc bitbucket-oidc-idp \
  --workload-identity-pool="bitbucket-pipelines-oidc-demo" \
  --issuer-uri="https://api.bitbucket.org/2.0/workspaces/my-workspace/pipelines-config/identity/oidc" \
  --location="global" \
  --attribute-mapping="google.subject=assertion.sub,attribute.workspace_uuid=assertion.workspaceUuid" \
  --allowed-audiences="ari:cloud:bitbucket::workspace/my-workspace-uuid"

  3. 在 GCP 中创建服务帐号

     gcloud iam service-accounts create my-service-account \
  --display-name="Service account for OIDC integration"

  4. 将服务帐户绑定到工作负载身份池。

    gcloud iam service-accounts add-iam-policy-binding [email protected] \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/my-project-number/locations/global/workloadIdentityPools/bitbucket-pipelines-oidc-demo/attribute.workspace_uuid/my-workspace-uuid"

  5. 已授予服务帐户权限

     gcloud projects add-iam-policy-binding my-project \
 --member="serviceAccount:[email protected]" \
 --role="roles/storage.viewer"

  6. 配置了 Bitbucket 管道。这是我的 bitbucket-pipelines.yml 文件

      image: google/cloud-sdk:alpine
    
      pipelines:
        default:
          - step:
              name: Test OIDC with GCP
              oidc: true
              script:
                # Save OIDC token to a file
                - echo -n "${BITBUCKET_STEP_OIDC_TOKEN}" > /tmp/gcp_access_token.out
    
                # Create GCP credentials
                - |
                  gcloud iam workload-identity-pools create-cred-config \
                    projects/my-project-number/locations/global/workloadIdentityPools/bitbucket-pipelines-oidc-demo/providers/bitbucket-oidc-idp \
                    --service-account="[email protected]" \
                    --output-file=/tmp/sts-creds.json \
                    --credential-source-file=/tmp/gcp_access_token.out
    
                # Export credentials
                - export GOOGLE_APPLICATION_CREDENTIALS=/tmp/sts-creds.json
    
                # Authenticate and list buckets
                - gcloud auth login --cred-file=/tmp/sts-creds.json
                - gcloud storage buckets list

观察到的问题:

  • 管道在尝试列出存储桶的步骤失败, 返回上述错误。

  • 服务帐户似乎没有足够的 冒充自己或访问的权限 iam.serviceAccounts.getAccessToken 权限。

问题:

  • 我的配置中缺少什么?有没有额外的 需要权限或角色吗?

  • 问题是否与凭证的生成或传递方式有关 正在筹备中?

  • OIDC 代币本身是否有问题,我该如何解决 调试吗?

任何指导将不胜感激。预先感谢!

google-cloud-platform openid-connect bitbucket-pipelines
1个回答
0
投票

请尝试:

gcloud projects add-iam-policy-binding ${PROJECT} \
--member=serviceAccount:${EMAIL} \
--role=roles/iam.serviceAccountTokenCreator

其中 

PROJECT
是你的 
my-project
EMAIL
是你的 
[email protected]

将其作为评论发布太困难了,如果这不是答案,我会删除。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.