[英]On GCP, how to grant access to a service account in another project?
I have a compute instance in project project-b
, and a separate project project-a
.我在项目
project-b
中有一个计算实例,还有一个单独的项目project-a
。 The instance in project-b
needs to access project-a
using a project-a
service account. project-b
中的实例需要使用project-a
服务帐号访问project-a
。
In project-a
:在
project-a
:
project-a-service-account@project-a.iam.gserviceaccount.com
.project-a-service-account@project-a.iam.gserviceaccount.com
。key.json
.key.json
。 In project-b
:在
project-b
:
key.json
to the instance.key.json
上传到实例。 If you are using the Google Cloud Console SSH window, you can do this using Upload in the gear icon menu in the upper right. Activate the service account:激活服务帐号:
gcloud auth activate-service-account project-a-service-account@project-a.iam.gserviceaccount.com --key-file key.json
Reinitialize:重新初始化:
gcloud init
gcloud init
command will offer to re-initialize the current configuration, or create a new one. gcloud init
命令将提供重新初始化当前配置或创建新配置。 It might be nice to create a new one, but it's up to you.project-a-service-account@project-a.iam.gserviceaccount.com
project-a-service-account@project-a.iam.gserviceaccount.com
Now, this instance in project-b
can act as the service account in project-a
.现在,
project-b
中的这个实例可以充当project-a
-a 中的服务帐户。 For example, if the service account has compute.instances.create
permission, you can create an instance in project-a
:例如,如果服务帐户具有
compute.instances.create
权限,您可以在project-a
中创建实例:
gcloud compute instances create new-instance --project project-a
Administrators of project-a
can revoke this access by revoking the keys for service account project-a-service-account@project-a.iam.gserviceaccount.com
. project-a
管理员可以通过撤销服务帐户project-a-service-account@project-a.iam.gserviceaccount.com
的密钥来撤销此访问权限。
Google has a super fast-talking demo showing this .谷歌有一个超级快速的演示展示了这一点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.