Google Cloud 项目到服务帐户到用户角色的映射创建
[英]Google cloud project to service account to user roles mapping creation
问题描述
I have a Google cloud project created.
我创建了一个谷歌云项目。
I created a service account with project editor role.我创建了一个具有项目编辑器角色的服务帐户。
Now, if I give a user, serviceAccountUser role to the service account, it doesn't automatically gives the user permission on the project.现在,如果我为服务帐户授予用户 serviceAccountUser 角色,它不会自动授予用户对该项目的权限。
If I login using that user to Google cloud console, I'm unable to see the project itself.如果我使用该用户登录 Google 云控制台,则无法看到项目本身。
It says in the documentation - "Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access."它在文档中说 - “在服务帐户上授予服务帐户用户角色的用户可以使用它来间接访问服务帐户有权访问的所有资源。”
So, I thought I would be able to access all the projects as well.所以,我想我也可以访问所有项目。 Does the above statement mean something else?上面的说法还有别的意思吗?
1 个解决方案
解决方案1
1 已采纳 2020-08-26 16:09:35
On GCP you have user accounts and service accounts.在 GCP 上,您有用户帐户和服务帐户。 The main purpose of the service accounts is to consume GCP services via API calls, the documentation says: " A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs .".服务帐户的主要目的是通过 API 调用使用 GCP 服务,文档说:“ 服务帐户是一种特殊类型的 Google 帐户,旨在代表需要进行身份验证并被授权访问数据的非人类用户谷歌 API 。”。 For login and interact with the GUI and resources you need a user account, if you want to see the resources the account need the viewer role, if you need perform operations on the resources you need admin role, review the documentation for more information ( How IAM works ).为了登录和交互 GUI 和资源,您需要一个用户帐户,如果您想查看该帐户需要查看者角色的资源,如果您需要对需要管理员角色的资源执行操作,请查看文档以获取更多信息(如何IAM 工作)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.