This video demonstrates how to securely perform actions on behalf of a service account without generating or sharing its private keys, by utilizing service account impersonation.
Mind Map
Clic para expandir
Haz clic para explorar el mapa mental interactivo completo
foreign [Music]
[Music]
in this video we are going to learn
about service account impersonation
impersonation means acting on somebody's
behalf and doing the job
in I highly recommend you to you watch
this service account part one this will
give your context what we'll be talking
about in this video if you are
interested only in impersonation you can
continue watching this video as well
in last video we did these four steps
where we created a service account we
assigned the role we downloaded the Json
key and authenticated gcloud with
service account and then uploaded and
downloaded the files
here the third step which is downloading
the Json key is not at all secured
because when you create a Json key it is
at risk because you are going to share
with your teammates over email over file
system or however you want to share it
it has very very high potential to get compromised
compromised
to avoid this situation
Google provides us a better solution
which we are going to do now
that thing is called service account impersonation
impersonation
what is impersonation so suppose John Miller
Miller
is a user
and John is not having permissions to
create cloud storage
we have a service account which we
created in the last video which bucket
read Service it is it has the role of
service admin John
John
only need a role called service account
token creator
once John has this role you assign that
role John can impersonate as bucket read
service service account and create a
bucket on behalf of the service account
how it will be done when John will try
to create a bucket
of course John has to impersonate a
service account while doing it our token
will be generated
that token is short-lived token it will
do the job and will close the session
that's how you can do the job without
generating the key and only generating a
token as per the need basis I'm going to
see this in action
but for now understand when anybody can
act as anybody provided right set of permissions
permissions
in the lab we'll go ahead and see
quickly today's Hanson lab will be about
we'll assign servicing account the
required permissions to create a bucket
we'll assign John Miller required
permission to impersonate and create token
token
strictly we are not going to generate
any service account because that's the
point of creating this video because you
should know how you will be working in
any company
fourth step will be will John Miller
will try to create a bucket using his
own credentials imp only by
impersonating a service account in the
last video we activated downloaded the
key activated the session and then we
copied and read and write the files to
the bucket but now I'm not downloading
any key I'll not be downloading any key
and then I'll show you how can we create
the bucket let's hit the labs now to see
these four steps in action
to another side
in last video we have created the
service account
bucket read Service
we also have created a bucket
we downloaded the key and then we wrote
the files in this bucket
you can also see we assigned permissions
on the resource level which is just on
this particular bucket not an overall project
project
this was the bucket name which we
created last time today
today
we are going to do something different
which is without generating the key how
can we
create a server or create a bucket
John Miller in this example John Miller
is one of the user from the devops group
he wants to create a bucket
but without assigning or generating the key
key
we have to use the service account
assigned roles to both of them
and then John has to impersonate as the
service account and that create this
cloud storage bucket
that that will be the example
so let's go ahead and do it
so you you go to the user directory and
you can see John Miller is here
and uh we will now go ahead and give
required rights to John Miller
in fact let's do that before doing that
let's see what error we will get that
will help you to understand the error
also because that is
part of the working on this area so we
ensure that we have logged in as John
Miller John Miller is member of devops group
group
uh yeah you can see John has low
permission he's part of this devops group
group
devops group has viewer permission so
John can see uh all the all the
resources of this project but he cannot
uh do anything which in this case we
have to create a bucket so he should not
be able to create the bucket
you can see
that as we have logged in as John
I cannot create the bucket
when you go to the create
button you can see this it is disabled
for John because he don't have right to
create a bucket
now what we'll do we will open the cloud
shells session
In This Cloud solution we will
authenticate as John Miller will log in
as John Miller and then try to create
the bucket in last video what we did we
logged in as a user called pushkar
sharan at cloudspin.in downloaded the
key authenticated hit and then created
using that service account but today we
are not going to download any key
yeah let me do gcloud auth list you can
see Active Star means this is the active
account you can have multiple
authentications in place within one
Cloud shell session
now since the session is set let me try
to create a bucket
of course from UI I cannot create but
from CLI can I the command is Google
gcloud storage buckets create and the
Full Bucket name it is trying to create
it oh I got the error and the error says
that 403 which is you do not have
storage bucket create access this is
what we wanted right we don't want to
give John any permission yet we want him
to create a bucket
and now
here comes the first part of our
example which is giving John and the
service account
required permissions
let's go ahead and give those
permissions to them
yep here you can go to service account
let's copy the full service account
email address that because we have to
assign the required permissions to both
of them
now I want to give rights or entire
project so I will create a im policy
over here resource is this project the
principle is the service account and
role will be storage admin because I
want to play with storage and I want to
create a delete bucket
without storage admin you have to create
a custom role but since for this example
we can use storage admin
all right I'm just clicking save this
will attach to these three
um set of IM policy and create an IM
policy for me
which means that this particular service
account will be able to create buckets
that is the first part of it
second what I'm going to do is I'm going
to assign permission to John Miller as
well because so far we have not given
any permission to John Miller he is a
viewer because he's part of a group
with that he cannot create a pocket
now comes the power of impersonation I
want to give John
a resource will be data science project
so on Project level John should be able
to create tokens which is impersonate as
others the rule is called
service account
token creator
you can see impersonate service accounts
create auth tokens Etc
so I am again attaching this policy so
this was one of the ask that assigned
the required permission so we give John
service account token creator and we
give this service account storage admin
so John still don't have much permission
he can just create tokens but he cannot
create uh buckets directly yet
let's give it one more try can he do that
that
okay I'm gonna list the buckets to check
it again first example of impersonation is
is
gsutil GS utilized CLI to communicate
with buckets I'm saying GS util hyphen I
which is impersonate the entire service
account name which we just gave the
storage admin right LS which means list
all the buckets
within this project
where within the service account
accessed if it has yes
you did get the response this time now
because you impersonated John
impersonated as the service account
without generating the key
okay and he could get the output as GS
service account demo Cloud Sprint you
can see above you have just one bucket
that was the idea of impersonation so we
have just listed it to check the
connectivity that annexes that if we can
list the buckets or not
now I am going to create the bucket
yeah let me click on enter the bucket
name is also fine yeah
yeah
oh again we are stuck with an error why
because again this time we try to create
with John Miller's ID only
now we're gonna try again by
impersonating a service account
the command is gcloud impersonate
service account
yeah this time
you can see the bucket is created the
command is gcloud in Personnel Service
account full email address storage
buckets create and the bucket name with GS
GS
double slash
this time the bucket is created
that's the reason because this time you
impersonate it John impersonated as a
service account that's why he could
access the rights what service account has
has
what happened in between it created a
token here you can see the bucket is
also created successfully
when you did this a token was created
when John submitted the request to API a
token was created that token held to
create this bucket yeah again you can
re-verify that only with this service
account token Creator without generating
any key
you any user can impersonate an as any user
user
and create it any resource if if the
service account has that permissions
that is the concept of impersonation
it's very very powerful you can use it
for uh doing your terraform deployments
your CI CD Etc
few few documentation part which I
wanted to highlight was uh you can
credentials with workload identity you
can also uh
see these CLI stuff which is get IM
policy set I am policy it is all this
service account below the service
account you should practice these
commands because they are very important
for the exams
you can how can you set an IM policy
from the console or you can get you can
create delete describe these things you
must at least have a look before you
appear for the exam because these are important
important
next bit is creating short-lived token
which is uh we just did example you can
create short-lived tokens and that is
going to uh without generating key you
can do a lot of stuff and uh
last part is that how do you impersonate
there are three ways to do it service
account user service account to
calculator which we just did in this
example we generated a joy token and
third is workload identity user it is
used for uh working with kubernetes pods
where you can authenticate your part
with any service account that's the way
of impersonation that you work with GK
this concludes IO for this particular
exam which is associate Cloud
engineering exam I have created
five videos about I am
more than sufficient to cover the exam
you really need to know I am by heart so
I really recommend you go through these
five videos and do practical as well
that's really going to help you pass the
exam with this video all foundational
work of creating organization setting up
users understanding the roles groups is
done now we'll be starting to learn one
service every week so that's the idea if
you like the content please subscribe to
my channel thank you very much for your
Haz clic en cualquier texto o marca de tiempo para ir directamente a ese momento del video
Compartir:
La mayoría de las transcripciones están listas en menos de 5 segundos
Copia con un clicMás de 125 idiomasBuscar en el contenidoIr a marcas de tiempo
Pega la URL de YouTube
Ingresa el enlace de cualquier video de YouTube para obtener la transcripción completa
Formulario de extracción de transcripción
La mayoría de las transcripciones están listas en menos de 5 segundos
Instala nuestra extensión para Chrome
Obtén transcripciones al instante sin salir de YouTube. Instala nuestra extensión de Chrome y accede con un clic a la transcripción de cualquier video directamente desde la página de reproducción.
