Google Cloud VM实例共享

Question

I have two vm instance . I want to give permission as compute admin to different users for both machines. Means two different owner of two Instance.

Answer 1

At Google Cloud Next 2018, Google announced Compute Engine resource-level IAM .

Inside a same project, you can now grant directly different roles to your Compute VMs to different users. If your use-case is to have 2 users ( user1@mydomain.com and user2@mydomain.com ), each one admin of a specific instance (relatively instance1 and instance2 ), you can define the following YAML files :

# instance1_policy.yaml

bindings:
- members:
  - user:user1@mydomain.com
  role: roles/compute.admin

and

# instance2_policy.yaml

bindings:
- members:
  - user:user2@mydomain.com
  role: roles/compute.admin

And apply the policies (merge the following files with the existing VMs IAM policies if you need so, check by using gcloud compute instances get-iam-policy before) :

gcloud compute instances set-iam-policy --zone=<INSTANCE1_ZONE> instance1 instance1_policy.yaml
gcloud compute instances set-iam-policy --zone=<INSTANCE2_ZONE> instance2 instance2_policy.yaml

Note also that IAM policies applying on your project can interfer with these policies. For example, if user1@mydomain.com have roles/compute.admin role on the project, then he may also have access to instance2 , "ignoring" your policy on instance2 VM (he have inherited roles/compute.admin role from the project).