问题描述

我正在阅读有关云身份和访问管理的文档方法:projects.serviceAccounts.signBlob .我已经弄清楚了，除了身体

I'm reading the documentation for Cloud Identity and Access Management Method: projects.serviceAccounts.signBlob. I've got it figured out except for the body, which is

{
  "bytesToSign": string
}

文档说应该是

The bytes to sign.

A base64-encoded string.

天哪，多么有帮助！谁能解释bytesToSign是什么?我在那放什么?服务帐户私钥?

Gosh, how helpful! Can anyone explain what bytesToSign is? What do I put there? The service account private key?

推荐答案

Google云平台 (GCP) IAM API方法 projects.serviceAccounts.signBlob 允许您使用系统管理的私钥对数据块进行加密签名"给定服务帐户.

The Google Cloud Platform (GCP) IAM API method projects.serviceAccounts.signBlob allows you to cryptographically "sign" a blob of data using the system-managed private key for a given service account.

更多信息:数字签名

权限

为了使用服务帐户对Blob进行签名，您需要确保您的帐户对所涉及的服务帐户具有iam.serviceAccounts.signBlob权限.最简单的方法是在项目或服务帐户上为您的帐户授予服务帐户令牌创建者.该角色包含以下权限:

In order to sign blobs using a service account, you need to make sure your account has the iam.serviceAccounts.signBlob permission on the service account in question. The easiest way to do this is to grant your account the Service Account Token Creator on the Project or the Service Account. This role contains the following permissions:

• iam.serviceAccounts.get
• iam.serviceAccounts.getAccessToken
• iam.serviceAccounts.implicitDelegation
• iam.serviceAccounts.list
• iam.serviceAccounts.signBlob
• iam.serviceAccounts.signJwt
• resourcemanager.projects.get
• resourcemanager.projects.list

• iam.serviceAccounts.get
• iam.serviceAccounts.getAccessToken
• iam.serviceAccounts.implicitDelegation
• iam.serviceAccounts.list
• iam.serviceAccounts.signBlob
• iam.serviceAccounts.signJwt
• resourcemanager.projects.get
• resourcemanager.projects.list

使用API​​

此API端点采用两个参数:

This API endpoint takes two arguments:

• 服务帐户名称(在请求的网址中)
您想要(在请求正文中)进行加密签名的
• blob

• service account name (in the URL of the request)
• blob that you would like to cryptographically sign (in the body of the request)

作为一个例子，假设您要对此文本签名:

As an example, let's say that you want to sign this text:

Here is some text that I would like to sign.

首先，您必须对字符串进行base64编码，该字符串将变为:

First, you must base64 encode the string, which becomes:

SGVyZSBpcyBzb21lIHRleHQgdGhhdCBJIHdvdWxkIGxpa2UgdG8gc2lnbi4=

然后，您将在正文中使用base64编码的字符串发布到端点.例如，如果您的项目名为my-project，并且您想使用我的App Engine默认服务帐户对Blob进行签名，则可以执行以下操作:

Then you would post to the endpoint with the base64-encoded string in the body. For example, if your project was called my-project and you wanted to sign the blob with my App Engine default service account, you would do:

POST:https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/my-project@appspot.gserviceaccount.com:signBlob?key={YOUR_API_KEY}

身体:

{
 "bytesToSign": "SGVyZSBpcyBzb21lIHRleHQgdGhhdCBJIHdvdWxkIGxpa2UgdG8gc2lnbi4="
}

如果成功，它将返回一个响应，其中包含用于对Blob进行签名的keyId和作为已签名Blob的signature.

If successful, it will return a response with the keyId that was used to sign the blob and the signature which is the signed blob.

示例:

{
 "keyId": "f123aa7016e4565e49a489357aa384fa25a9e789",
 "signature": "t7FT+3b0AUzqmGHofHIa8MDcfuBOKQa4/DtK6Ovel22Y9pa5G4PduW5iYY9EMQpyXW3sZEZiyFRs3M9nGkLt/DKXITCW9Ta4nvLZwNj1ahFjkujr12iUzyU+NR9/Db2LWoI/g4j1e27E9O8zqXdi+BQpKkOYHUcfbH3xcTbEJnmjU/1zEHztNRXlihNPyOjSWsKhPdVnVzxYmi6Y3Bmgb3kCZe5hhUhANo9gavsakSogi0y5z625vHiW3roQkH2fEktcDkf49GlLJEHqRu+FaCcAwgpsEs/Nm+llgfhSuHKx1tcvslmTWOGAnYDKVg74oqg4FgfhiLqBWJYRrFRwxQ=="
}

您可以在此处使用API​​资源管理器尝试(但将项目名称更改为您的项目，将服务帐户名称更改为您的服务帐户).

You can try it here with the API Explorer (but change the project name to your project and change the service account name to your service account).

这也可以通过 gcloud ，例如:

$ gcloud iam service-accounts sign-blob \
      --iam-account my-account@somedomain.com input.bin output.bin

有关此命令如何与更广泛的云基础架构联系的更多信息，请参阅:

For more information on how this command ties into the wider cloud infrastructure, please see:

• https://cloud.google.com/appengine/docs/standard/python/appidentity/
• https://cloud.google.com/appengine/docs/java/appidentity/
• https://cloud.google.com/appengine/docs/standard/php/appidentity/
• https://cloud.google.com/appengine/docs/standard/go/appidentity/

• https://cloud.google.com/appengine/docs/standard/python/appidentity/
• https://cloud.google.com/appengine/docs/java/appidentity/
• https://cloud.google.com/appengine/docs/standard/php/appidentity/
• https://cloud.google.com/appengine/docs/standard/go/appidentity/

您可以使用它来声明您对非Google服务的身份.如果要断言您提供给外部应用程序的某些文本实际上是您提供的，则可以使用signBlob方法对文本进行签名，以使用私钥对文本进行签名，然后可以使用get_public_certificates()方法来获取可用于验证签名的证书列表.

You might use this to to assert your identity to non-Google services. If you want to assert that some text provided by you to an external application is in fact coming from you, then you can sign the text with the signBlob method to sign the text with your private key, and then you can use the get_public_certificates() method to obtain a list of certificates which can be used to validate that the signature.

更多:向第三方服务声明身份

这篇关于什么是"bytesToSign"?在Google Cloud Security Products signBlob中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！