iT邦幫忙

2025 iThome 鐵人賽

DAY 19
0
Cloud Native

《30 天 Cloud Native:AI 行程規劃後端開發》系列 第 19

Day19 - 一步步建立 Cloud Run 與 Reasoning Engine 的 IAM 角色

  • 分享至 

  • xImage
  •  

今天繼續來做權限管理,試著用 Audit Logs 擷取需要的權限來建立客製化的 IAM 角色。

使用 Audit Logs 擷取權限紀錄

問了 Gemini 發現可以用 Audit Logs 來記錄用到的權限,所以設定了以下:

https://ithelp.ithome.com.tw/upload/images/20250902/2017819489ty2f8sJg.png

然後就可以從 Logs Explorer 下 Filter 來過濾:

protoPayload.authenticationInfo.principalEmail="xxxxx@xxxxxx.iam.gserviceaccount.com"

這時候觸發 Cloud Build 進行部屬和進行 API 測試,就會將需要的權限記錄進 Logs Explorer 。我將記錄到的 Log 存成文字檔然後用指令來擷取權限清單:

$ cat log.txt | awk 'match($0, /method:[^,]*,/) {print substr($0, RSTART, RLENGTH) }' | sort | uniq
method: "Docker-FinishUpload",
method: "Docker-GetManifest",
method: "Docker-HeadBlob",
method: "Docker-PutManifest",
method: "Docker-StartUpload",
method: "google.cloud.aiplatform.v1.ReasoningEngineExecutionService.QueryReasoningEngine",
method: "google.cloud.aiplatform.v1.ReasoningEngineExecutionService.StreamQueryReasoningEngine",
method: "google.cloud.aiplatform.v1.ReasoningEngineService.GetReasoningEngine",
method: "google.cloud.run.v1.Services.GetService",
method: "google.cloud.run.v1.Services.ReplaceService",
method: "google.longrunning.Operations.WaitOperation",
method: "iam.serviceAccounts.actAs",

建立自訂角色 YAML

請 Gemini 幫我依照這些權限來建立角色,產生了一個 YAML:

title: "Cloud Run and Reasoning Engine Deployer"
description: "Custom role for deploying Cloud Run services and interacting with Reasoning Engines, including Artifact Registry access."
stage: "GA"
permissions:
- artifactregistry.repositories.uploadArtifacts
- artifactregistry.repositories.downloadArtifacts
- aiplatform.reasoningEngines.query
- aiplatform.reasoningEngines.streamQuery
- aiplatform.reasoningEngines.get
- run.services.get
- run.services.update
- longrunning.operations.wait
- iam.serviceAccounts.actAs

然後用 gcloud iam roles create 就可以建立:

gcloud iam roles create CloudRunAndReasoningEngineDeployer --project=... \
    --file=custom-deployer-role.yaml

但是一開始產生的設定檔是錯的,把錯誤訊息給 Gemini 看後就會修改成以下:

title: "Cloud Run and Reasoning Engine Deployer"
description: "Custom role for deploying Cloud Run services and interacting with Reasoning Engines, including Artifact Registry access."
stage: "GA"
includedPermissions:
  - artifactregistry.repositories.uploadArtifacts
  - artifactregistry.repositories.downloadArtifacts
  - aiplatform.reasoningEngines.query
  - aiplatform.reasoningEngines.get
  - run.services.get
  - run.services.update
  - iam.serviceAccounts.actAs

也就是把 permissions 改成 includedPermissions ,和把 aiplatform.reasoningEngines.querylongrunning.operations.wait 砍掉。

最後只要到 IAM 頁面指定角色給 Service Account 就可以了。改完的當下 Security 燈泡還是沒有熄滅,可能需要些時間,明天再看看,接下來把 Agent Engine 也做一次。

擷取 Agent Engine 權限

這次 Audit Log 多加一個 Google Cloud Storage ,因為 Agent 會被包到 Bucket 內:

https://ithelp.ithome.com.tw/upload/images/20250902/20178194gvRIqXxGx9.png

錄下來少很多權限:

method: "google.cloud.aiplatform.v1.ReasoningEngineService.GetReasoningEngine",
method: "google.cloud.aiplatform.v1.ReasoningEngineService.UpdateReasoningEngine",
method: "storage.buckets.get",
method: "storage.objects.create",
method: "storage.objects.get",

一樣請 Gemini 幫我建立角色設定檔:

title: "Reasoning Engine and Storage Accessor"
description: "Custom role for getting/updating Reasoning Engines and managing Storage objects."
stage: "GA"
includedPermissions:
- aiplatform.reasoningEngines.get
- aiplatform.reasoningEngines.update
- storage.buckets.get
- storage.objects.create
- storage.objects.get

下指令建立角色:

gcloud iam roles create ReasoningEngineStorageAccessor --project=... \
    --file=reasoning-engine-storage-role.yaml

最後建立 Service Account 然後指定角色就可以了。

關於 iam.serviceAccounts.actAs 權限的安全性

不過 iam.serviceAccounts.actAs 這個權限看起來很可疑,查了一下這個權限可以像 sudo 一樣獲得較高的權限來操作,所以要再看看怎麼限制他。


上一篇
Day18 - 170 元的部署實驗:Cloud Run 測試成功與權限控管全紀錄
系列文
《30 天 Cloud Native:AI 行程規劃後端開發》19
圖片
  熱門推薦
圖片
{{ item.channelVendor }} | {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言