[GO] About uploading files from on-premises environment to GCS bucket and setting minimum privilege

background

End users want to upload files from their on-premises environment to a GCS bucket, but that's all the information and it's hard to hear directly. The GCP project is built without an organization, but think about it without being influenced by such factors as whether you are using Google Workspace, have a Google account, what your on-premises environment is like, and so on. It was.

Draft

I decided to issue a service account in my GCP project, give it the role "Storage Object Creator", create a service account key, and then upload the file from the Docker container in the end user's on-premises environment.

Creating a bucket

Create a storage class STANDARD, Tokyo region, uniform bucket.

export PROJECT_ID=
export BUCKET_ID=
export DEV_BUCKET_ID=$BUCKET_ID-dev

# create bucket
gsutil mb -p $PROJECT_ID -c STANDARD -l ASIA-NORTHEAST1 -b on gs://$DEV_BUCKET_ID

# check bucket's iam
gsutil iam get gs://$DEV_BUCKET_ID

Check inherited permissions

Buckets that handle sensitive information may inherit the permissions set at the project level (because the gsutil iam get command cannot check the permissions inherited from the project level) on the Console. Check permissions. By default, basic roles (Owner, Editor, Viewer) can also access the bucket, but delete them if you don't need them. However, if the owner is deleted and there is no member with the role equivalent to Storage Admin, the bucket will be inoperable.

permissions_bucket.png

Issuance of service account and key

Create a service account, key for use in your on-premises environment, and grant the service account the role of Storage Object Creator at the bucket level.

export PROJECT_ID=
export SER_ACC_ID=
export DEV_SER_ACC_ID=$SER_ACC_ID-dev

# create service account
gcloud iam service-accounts create $DEV_SER_ACC_ID --project $PROJECT_ID \
 --description "" --display-name $DEV_SER_ACC_ID

# create key file for service account
gcloud iam service-accounts keys create {KEY_FILE_PATH} \
 --project $PROJECT_ID --iam-account $DEV_SER_ACC_ID@$PROJECT_ID.iam.gserviceaccount.com

# grant objectCreator role to service account
gsutil iam ch serviceAccount:$DEV_SER_ACC_ID@$PROJECT_ID.iam.gserviceaccount.com:objectCreator \
 gs://$DEV_BUCKET_ID

Dockerfile creation

After doing Install Google Cloud SDK, you can use gsutil, but I dare to use Google Cloud SDK Docker. First, the file layout is here.

├── Dockerfile
├── certs
│   └── service-account-keyfile.json
├── csv
│   └── testdata.csv
└── docker-entrypoint.sh

Dockerfile

FROM google/cloud-sdk:slim

COPY ./docker-entrypoint.sh /

ENTRYPOINT ["/docker-entrypoint.sh"]

docker-entrypoint.sh

#!/bin/bash
set -e

usage() {
  echo "Usage: $0 [-f upload csv file path] [-b gcs bucket name]" 1>&2
  exit 1
}

while getopts f:b:h OPT
do
  case $OPT in
    f)  FILE_PATH=$OPTARG
        ;;
    b)  BUCKET_NAME=$OPTARG
        ;;
    h)  usage
        ;;
  esac
done

if [ ! -f "$FILE_PATH" ]; then
    echo "$FILE_PATH does not exist."
    exit 0
fi

# service account login
gcloud auth activate-service-account --key-file=/certs/service-account-keyfile.json

# upload file to GCS
gsutil cp $FILE_PATH gs://$BUCKET_NAME

upload

You can upload the file to your GCS bucket by running the command below.

export BUCKET_ID=
export DEV_BUCKET_ID=$BUCKET_ID-dev

# create docker image
docker build -t uploader-gcloud .

# upload testdata.csv
docker run --rm \
 --mount type=bind,source=$PWD/certs,target=/certs \
 --mount type=bind,source=$PWD/csv,target=/csv \
uploader-gcloud -f /csv/testdata.csv -b $DEV_BUCKET_ID

Chat

In the first place, it may be a high hurdle to put Docker in the end user environment. But I thought this was a story I wouldn't know without a challenge, and in the end, the end user created a Google account and gave them the role "Storage Object Creator" + permissions "storage.buckets.list, storage.objects.list". In the form, I will operate it on the Console every day. (What is the labor shortage?)

However, for me as a Docker beginner, I realized that Google Cloud SDK Docker is a very useful tool for checking permissions.

Recommended Posts

About uploading files from on-premises environment to GCS bucket and setting minimum privilege
[PAY.JP] About setting environment variables-Courage to delete when in trouble-
* Android * About saving / reading files to external storage and permissions