Google Appengine(Flex)+云SQL auth代理—使用不同的帐户进行部署和访问云SQL
我正在使用Maven插件部署到Appengine。我需要登录以使其能够部署服务。我需要登录到Gcloud,以便能够使用云SQL auth代理。现在,我看不到将Deployer帐户分别设置为Cloud SQL Auth代理帐户的任何方法,这意味着我必须使用相同的帐户,该帐户从部署开始并以“ Cloud SQL Connector/实例用户”结尾。这是设计缺陷吗?我想念什么吗?
所需状态:
- Appengine Flex中的手动缩放服务(基本上是单身,旧版Monolith应用程序)
- 云SQL SQL SQL PostgreSQL实例
- 单独的服务帐户,用于部署的单独服务帐户,用于.json键
- 单独的服务帐户(IAM),用于云SQL sql auth proxy with .json key
更新。
<beans profile="appengine">
<bean id="hikariConfig" class="com.zaxxer.hikari.HikariConfig">
<property name="poolName" value="springHikariCP" />
<property name="connectionTestQuery" value="SELECT 1" />
<property name="driverClassName" value="org.postgresql.Driver" />
<property name="connectionTimeout" value="600000"/>
<property name="jdbcUrl" value="${db.url}" />
<property name="username" value="${db.username}"/>
<property name="password" value="${db.password}"/>
<property name="dataSourceProperties">
<props>
<prop key="sslmode">disable</prop>
</props>
</property>
</bean>
env_variables:
JAVA_OPTS: >-
-Ddb.username=postgres -Ddb.password=postgres-password
-Ddb.url=jdbc:postgresql://127.0.0.1:3306/dbname?cloudSqlInstance=project:location:instance&socketFactory=com.google.cloud.sql.postgres.SocketFactory
beta_settings:
#tcp sockets:
cloud_sql_instances: project:location:instance=tcp:3306
I'm using maven plugin to deploy to AppEngine. I need to be logged in to gloud to be able to deploy services. I need to be logged in to gcloud to be able to use Cloud SQL Auth Proxy also. Now I don't see any way to set deployer account separately to Cloud SQL Auth Proxy account which means I have to use the same account which has broad privileges starting from deployment and ending with 'Cloud SQL Connector/Instance User'. Is it a design flaw? Did I miss something?
Desired state:
- Manually scaled service in AppEngine Flex (basically a singleton, legacy monolith app)
- Cloud SQL PostgreSQL instance
- Separate service account for deployment with .json key
- Separate service account (IAM) for Cloud SQL Auth Proxy with .json key
UPDATE.
Temporarily solved by this config:
spring-context.xml
<beans profile="appengine">
<bean id="hikariConfig" class="com.zaxxer.hikari.HikariConfig">
<property name="poolName" value="springHikariCP" />
<property name="connectionTestQuery" value="SELECT 1" />
<property name="driverClassName" value="org.postgresql.Driver" />
<property name="connectionTimeout" value="600000"/>
<property name="jdbcUrl" value="${db.url}" />
<property name="username" value="${db.username}"/>
<property name="password" value="${db.password}"/>
<property name="dataSourceProperties">
<props>
<prop key="sslmode">disable</prop>
</props>
</property>
</bean>
app.yaml
env_variables:
JAVA_OPTS: >-
-Ddb.username=postgres -Ddb.password=postgres-password
-Ddb.url=jdbc:postgresql://127.0.0.1:3306/dbname?cloudSqlInstance=project:location:instance&socketFactory=com.google.cloud.sql.postgres.SocketFactory
beta_settings:
#tcp sockets:
cloud_sql_instances: project:location:instance=tcp:3306
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我认为这里有一些事情混淆了,帐户使用用于部署服务与该服务是由部署的帐户。这是两件事。
该帐户已登录到gcloud and 用于部署您的应用程序引擎服务(即具有运行
gcloud app exployexploy> deploy>的帐户的帐户)不必与一个相同这具有连接到云SQL的权限。但是,由部署并由应用程序引擎(应用引擎默认服务帐户或自定义服务帐户)使用的服务帐户将是相同的服务帐户,以对您的云SQL实例进行身份验证。
您可以通过使用应用程序引擎默认服务帐户提供一个自定义服务帐户来范围范围范围范围,仅向您的应用程序所需的权限。这样,您可以授予
cloud SQL客户端和云SQL实例用户在其顶部角色,并且没有广泛的editor权限。有关更多详细信息,请参见:“ nofollow noreferrer”>
I think a few things are being confused here, the account used to deploy the service vs. the account that the service is deployed with. These are two different things.
The account logged into gcloud and used to deploy your app engine service (i.e. the account with the permissions to run
gcloud app deploy) does not have to be the same as the one that has the permissions to connect to Cloud SQL.However, service account that is deployed with and used by App Engine (app engine default service account or custom service account) will and should be the same service account to authenticate to your Cloud SQL instance .
You can scope down the permissions used by App Engine by providing a custom service account over using the App Engine Default service account to only those that are required by your application. That way you can grant the
Cloud SQL ClientandCloud SQL Instance Userroles on top of it and not have the broadEditorpermissions.For more details see: Connect Cloud SQL from App Engine Flex