centos7で、gcloudのインストールからサービスアカウントキーを使用しての認証を行い、gcloudやgsutilコマンドを使えるようにするところまでの手順
前提
# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
# python3 -V
Python 3.8.13
gcloudのインストールにはpython3.8以降が必要になります
3.6だと以下のようなエラーが出ます
/root/google-cloud-sdk/install.sh
Welcome to the Google Cloud CLI!
WARNING: You appear to be running this script as root. This may cause
the installation to be inaccessible to users other than the root user.
WARNING: Python 3.6.x is no longer officially supported by the Google Cloud CLI
and may not function correctly. Please use Python version 3.8 and up.
If you have a compatible Python interpreter installed, you can use it by setting
the CLOUDSDK_PYTHON environment variable to point to it.
サービスアカウントキーの作成方法はこちら参照
https://cloud.google.com/iam/docs/creating-managing-service-account-keys?hl=ja#creating
作成できると以下のような形式の鍵ファイル()がダウンロードできるので、これを後の認証で使います。
{
"type": "service_account",
"project_id": "PROJECT_ID",
"private_key_id": "KEY_ID",
"private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
"client_email": "SERVICE_ACCOUNT_EMAIL",
"client_id": "CLIENT_ID",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}
- key file :
{PROJECT_ID}-*.json
- mail :
{ACCOUNT_NAME}@{PROJECT_ID}.iam.gserviceaccount.com
インストール
# curl https://sdk.cloud.google.com | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 443 100 443 0 0 236 0 0:00:01 0:00:01 --:--:-- 236
Downloading Google Cloud SDK install script: https://dl.google.com/dl/cloudsdk/channels/rapid/install_google_cloud_sdk.bash
######################################################################## 100.0%
Running install script from: /tmp/tmp.f0wbCVGAZg/install_google_cloud_sdk.bash
which curl
curl -# -f https://dl.google.com/dl/cloudsdk/channels/rapid/google-cloud-sdk.tar.gz
######################################################################## 100.0%
Installation directory (this will create a google-cloud-sdk subdirectory) (/root):
mkdir -p /root
tar -C /root -zxvf /tmp/tmp.ogt7Y7LMef/google-cloud-sdk.tar.gz
google-cloud-sdk/.install/.download/
google-cloud-sdk/.install/core.manifest
google-cloud-sdk/.install/core.snapshot.json
略...
Performing post processing steps...done.
Update done!
Modify profile to update your $PATH and enable shell command completion?
Do you want to continue (Y/n)? y
The Google Cloud SDK installer will now prompt you to update an rc file to bring the Google Cloud CLIs into your environment.
Enter a path to an rc file to update, or leave blank to use [/root/.bashrc]:
Backing up [/root/.bashrc] to [/root/.bashrc.backup].
[/root/.bashrc] has been updated.
==> Start a new shell for the changes to take effect.
For more information on how to get started, please visit:
https://cloud.google.com/sdk/docs/quickstarts
# source ~/.bashrc
# gcloud -v
Google Cloud SDK 483.0.0
bq 2.1.6
bundled-python3-unix 3.11.8
core 2024.06.28
gcloud-crc32c 1.0.0
gsutil 5.30
インストールすると~/.bashrc
ファイルに以下のような設定が追記されます
# The next line updates PATH for the Google Cloud SDK.
if [ -f '/root/google-cloud-sdk/path.bash.inc' ]; then . '/root/google-cloud-sdk/path.bash.inc'; fi
# The next line enables shell command completion for gcloud.
if [ -f '/root/google-cloud-sdk/completion.bash.inc' ]; then . '/root/google-cloud-sdk/completion.bash.inc'; fi
これをインストール後にsource ~/.bashrc
で読み込んで反映させています。
サービスアカウントでの認証
任意のディレクトリに作成したキーファイルを配置している前提(/path/to/key/{PROJECT_ID}-*.json
)
# gcloud auth login --cred-file=/path/to/key/{PROJECT_ID}-*.json --project={PROJECT_ID}
Authenticated with service account credentials for: [{ACCOUNT_NAME}@{PROJECT_ID}.iam.gserviceaccount.com].
Your current project is [{PROJECT_ID}]. You can change this setting by running:
$ gcloud config set project PROJECT_ID
# gcloud config list
[core]
account = {ACCOUNT_NAME}@{PROJECT_ID}.iam.gserviceaccount.com
disable_usage_reporting = False
project = {PROJECT_ID}
Your active configuration is: [default]
これでgcloud compute instances list
やgsutil ls
などが使えるようになっているはずです.
ref : https://cloud.google.com/sdk/docs/authorizing?hl=ja#key