堆栈内存溢出
  简体   繁体   English

在 GCP 上,如何授予对另一个项目中服务帐户的访问权限?

[英]On GCP, how to grant access to a service account in another project?

 原文  2019-10-02 23:31:54       google-cloud-platform/ google-compute-engine

问题描述

I have a compute instance in project project-b , and a separate project project-a .我在项目project-b中有一个计算实例,还有一个单独的项目project-a The instance in project-b needs to access project-a using a project-a service account. project-b中的实例需要使用project-a服务帐号访问project-a

1 个解决方案

解决方案1
 0  2019-10-02 23:31:54

In project-a :project-a

  • Create the service account.创建服务帐户。 Suppose its name is project-a-service-account@project-a.iam.gserviceaccount.com .假设它的名称是project-a-service-account@project-a.iam.gserviceaccount.com
  • Grant the service account very specific, limited roles授予服务帐户非常具体的有限角色
  • Create and download a key for the service account.为服务帐户创建并下载密钥。 Name it key.json .将其命名为key.json

In project-b :project-b

  • Create a compute instance创建计算实例
  • SSH to the instance. SSH 到实例。 Type all the commands that follow into this compute instance SSH shell.在此计算实例 SSH shell 中键入后面的所有命令。
  • Upload key file key.json to the instance.将密钥文件key.json上传到实例。 If you are using the Google Cloud Console SSH window, you can do this using Upload in the gear icon menu in the upper right.如果您使用的是 Google Cloud Console SSH window,则可以使用右上角齿轮图标菜单中的上传来执行此操作。

  • Activate the service account:激活服务帐号:

     gcloud auth activate-service-account project-a-service-account@project-a.iam.gserviceaccount.com --key-file key.json

  • Reinitialize:重新初始化:

     gcloud init
    • The gcloud init command will offer to re-initialize the current configuration, or create a new one. gcloud init命令将提供重新初始化当前配置或创建新配置。 It might be nice to create a new one, but it's up to you.创建一个新的可能会很好,但这取决于您。
    • Choose account project-a-service-account@project-a.iam.gserviceaccount.com选择账户project-a-service-account@project-a.iam.gserviceaccount.com

Now, this instance in project-b can act as the service account in project-a .现在, project-b中的这个实例可以充当project-a -a 中的服务帐户。 For example, if the service account has compute.instances.create permission, you can create an instance in project-a :例如,如果服务帐户具有compute.instances.create权限,您可以在project-a中创建实例:

gcloud compute instances create new-instance --project project-a

Administrators of project-a can revoke this access by revoking the keys for service account project-a-service-account@project-a.iam.gserviceaccount.com . project-a管理员可以通过撤销服务帐户project-a-service-account@project-a.iam.gserviceaccount.com的密钥来撤销此访问权限。

Google has a super fast-talking demo showing this .谷歌有一个超级快速的演示展示了这一点

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 GCP-IAM - 如何授予对组织中所有服务帐户的访问权限? - GCP-IAM - How to grant access to all service account in organization? 具有项目所有者的 GCP 服务帐户可以授予用户帐户权限吗? - Can a GCP service account with owner for a project grant rights to user account? 如何授予数据存储访问服务帐户的权限? - How to grant datastore access to a service account? 如何恢复 GCP 项目服务帐号 - How to recover GCP project service account 如何授予服务帐户访问 Google Cloud 上的用户帐户的权限 - How to grant service account access to a user account on google cloud GCP + Terraform:向项目级别的用户授予服务帐户访问权限 - GCP + Terraform : Service account access is granted to a user at project level 在 GCP 中使用服务帐号创建项目 - Create project with service account in GCP GCP 服务帐号访问问题 - GCP service account access issue 如何从GCP中另一个项目的pod访问一个项目的kubernets服务 - How to access kubernets service of one project from pod of another project in GCP 是否可以将另一个 GCP 项目的服务帐户附加到 GCP 云功能? - Is it possible to attach a Service account from another GCP project to a GCP Cloud Function?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM