Google Cloud Service帐户具有Translate API访问权限,无需分配任何角色
[英]Google Cloud Service Account has Translate API access without any roles assigned
问题描述
I created a service account to use with Cloud Translate API (from my app), and have noticed that I can make the call even thought I have not assigned it any roles!!! 
我创建了一个服务帐户,用于Cloud Translate API(来自我的应用程序),并注意到即使我没有为其分配任何角色,我也可以拨打电话!
I have verified ( based on this answer ) via gcloud projects get-iam-policy MYPROJECTID and the service account I used has no roles associated.... 我已通过gcloud projects get-iam-policy MYPROJECTID验证( 基于此答案 ) gcloud projects get-iam-policy MYPROJECTID和我使用的服务帐户没有关联的角色....
I thought service account would need at least "Cloud Translation API User" role in order to work.... 我认为服务帐户至少需要“云翻译API用户”角色才能工作....
- How do I restrict the service account to only be able to use the Translate API 如何将服务帐户限制为只能使用Translate API
- If this is not possible, does this mean that some APIs are accessible by any service account in project? 如果这不可能,这是否意味着项目中的任何服务帐户都可以访问某些API?
Thanks Z 谢谢Z.
1 个解决方案
解决方案1
0
The Translate API v2 isn't integrated with Cloud IAM, but the V3 is and that's why there are Cloud Translation roles (which also apply for the Cloud AutoML Translation service). Translate API v2未与Cloud IAM集成,但V3是 ,这就是云翻译角色 (也适用于Cloud AutoML翻译服务)的原因。
Regarding Question 1: For non-IAM-integrated services the only way to constrain authorization is through OAuth Scopes. 关于问题1:对于非IAM集成服务,限制授权的唯一方法是通过OAuth Scopes。 So, for Translation API v2 you can't restrict the service account to use only this API unless Translate is the only API-enabled in the project. 因此,对于Translation API v2,您不能将服务帐户限制为仅使用此API,除非Translate是项目中唯一启用的API。
Regarding Question 2: API services not integrated with Cloud IAM can be accessed using only a service account, even if it doesn't have any roles (because there are no Cloud IAM roles associated with the service yet). 关于问题2:未与云IAM集成的API服务只能使用服务帐户访问,即使它没有任何角色(因为尚未与该服务关联的Cloud IAM角色)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.