I am looking for the secure/recommended way to connect and perform actions on GCS.
Need:
We have files on an on-premises Linux environment that needs to be uploaded to GCS on a hourly basis. Newer files alone will need to be uploaded. Multiple users/processes use the server. Manual intervention or authentication is not possible. Ok to have one-time authentication setup.
Current Implementation:
A simple shell script using service account as shown below. Script is authenticated using the JSON key file of the service account with access to the storage account.
gsutil -m rsync -r -P -e <LINUX_PATH> <GCS_PATH>
Questions:
What is the safest and recommended way to authenticate from an on-premises linux server outside of GCP to connect to GCS?
Is there a better way to handle the authentication without downloading the key file? I understand that if an intruder gets access to the server, we are done for anyways, but still would be nice if we had a better option.
Update:
In case Service Account Key file is the only options, please suggest the recommended way to secure the file. Currently we limit the permission of the file to the user executing the shell script. Any other options would be appreciated.
- We had considered "Service Account Impersonation". But in this case, how are we supposed to login to the user having only the
serviceAccountTokenCreatorrole. We would once again need to resort to JSON key file?
3.1. In case of Service Account Impersonation, is the allowed time defaulted to 60 minutes?
There are different ways you can do uploads in GCS. As to your script, you are using single-request upload type. You may want to check the following ways:
Resumable uploads, which can use OAuth 2.0 and XML configuration.
Streaming uploads, which uses checksum validation when streaming.
Just remember that everytime additional security that you configure with your system, there can be added complexity on implementing it.