iT邦幫忙

2025 iThome 鐵人賽

DAY 20
0
Cloud Native

《30 天 Cloud Native:AI 行程規劃後端開發》系列 第 20

Day20 - 安全部署策略:Cloud Build 與 Cloud Run 的角色與權限規劃

  • 分享至 

  • xImage
  •  

詢問 Gemini 後得知 Cloud Build 和 Cloud Run 的執行權限可以分開設定,因此將兩者的帳號分開管理,並重新記錄。

紀錄使用到的權限

這次開啟的 Audit Logs 有這些:

https://ithelp.ithome.com.tw/upload/images/20250903/20178194OHDtva1i0c.png

Cloud Build 會用到的權限有:

method: "Docker-FinishUpload",
method: "Docker-GetManifest",
method: "Docker-HeadBlob",
method: "Docker-PutManifest",
method: "Docker-StartUpload",
method: "google.cloud.run.v1.Services.GetService",
method: "google.cloud.run.v1.Services.ReplaceService",
method: "iam.serviceAccounts.actAs",

Cloud Run 跑服務時用到的權限有:

method: "google.cloud.aiplatform.v1.ReasoningEngineExecutionService.QueryReasoningEngine",
method: "google.cloud.aiplatform.v1.ReasoningEngineExecutionService.StreamQueryReasoningEngine",
method: "google.cloud.aiplatform.v1.ReasoningEngineService.GetReasoningEngine",

其實就是把 aiplatformgetquery 權限從 Cloud Build 移去 Cloud Run 就可以了,所以要新增一個有 Agent 存取權限的角色:

- aiplatform.reasoningEngines.query
- aiplatform.reasoningEngines.get

接著建立一個專供 Cloud Run 使用的 Service Account,並指派上述角色以執行服務。

自訂角色

總結一下目前設定角色,用於部屬 API Server 的 Cloud Run Deployer and Log Manager (另外加了 Log 的權限才能存記錄到 Cloud Build):

title: "Cloud Run Deployer and Log Manager"
description: "Custom role for deploying Cloud Run, managing Artifacts, and handling basic logging."
stage: "GA"
includedPermissions:
- artifactregistry.repositories.uploadArtifacts
- artifactregistry.repositories.downloadArtifacts
- run.services.get
- run.services.update
- iam.serviceAccounts.actAs
- logging.logEntries.create
- logging.logEntries.route

運行 API Server 的 Reasoning Engine Viewer and Querier :

title: "Reasoning Engine Viewer and Querier"
description: "Custom role for viewing and querying Vertex AI Reasoning Engines."
stage: "GA"
includedPermissions:
- aiplatform.reasoningEngines.query
- aiplatform.reasoningEngines.get

以及部屬 Vertex AI Agent Engine 的 Reasoning Engine and Storage Accessor :

title: "Reasoning Engine and Storage Accessor"
description: "Custom role for getting/updating Reasoning Engines and managing Storage objects."
stage: "GA"
includedPermissions:
- aiplatform.reasoningEngines.get
- aiplatform.reasoningEngines.update
- storage.buckets.get
- storage.objects.create
- storage.objects.get

分別建立與設定 Service Account :

Name Type Service Account Role
API Server Cloud Run api-server@xxx.gserviceaccount.com Reasoning Engine Viewer and Querier
API Server Build Cloud Build Trigger api-server-build@xxx.gserviceaccount.com Cloud Run Deployer and Log Manager
Agent Engine Cloud Build Trigger agent@xxx.gserviceaccount.com Reasoning Engine and Storage Accessor

權限設計總結

這樣的權限設計就合理多了,只有編譯和部屬的時候可以有較高的權限,而用來接收使用者資料的 API Server 僅具備對 Agent 請求的權限,這麼一來就算 API Server 存在漏洞,被駭客拿下控制權,也能將控制範圍限制在容器內,避免整個 Google Cloud 專案遭到全面掌控。


上一篇
Day19 - 一步步建立 Cloud Run 與 Reasoning Engine 的 IAM 角色
系列文
《30 天 Cloud Native:AI 行程規劃後端開發》20
圖片
  熱門推薦
圖片
{{ item.channelVendor }} | {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言