谷歌云 gcloud 为服务帐户 email 启用 API 服务
[英]Google cloud gcloud enabling API services for service account email
问题描述
How do I enable API services specifically for a service account and not a user account?
如何专门为服务帐户而不是用户帐户启用 API 服务?
Context: I'm using a Python script to locally test a cloud function (query BQ, convert results to json, drop in GCS bucket).上下文:我正在使用 Python 脚本在本地测试云 function(查询 BQ,将结果转换为 json,放入 GCS 存储桶)。 I can do this fine with my own test account where I'm able to enable services, but not sure how I would do it (or how a client would go about doing it) for a client's service account.我可以使用我自己的测试帐户来启用服务,但不确定我将如何为客户的服务帐户执行此操作(或客户将如何执行此操作 go)。 This is how I do it for my own service account:这就是我为自己的服务帐户做的:
- Get service account credentials as json获取服务帐户凭据 json
- Follow installations for gcloud cloud sdk按照 gcloud cloud sdk 的安装
- Issue:
gcloud auth activate-service-account --key-file="/path/to/json-todd-credentials.json" --project="json-todd"问题: gcloud auth activate-service-account --key-file="/path/to/json-todd-credentials.json" --project="json-todd" - Enable API services like so:
gcloud enable --account="json-todd@json-todd.iam.gserviceaccount.com" cloudfunctions.googleapis.com pubsub.googleapis.com etc.像这样启用 API 服务: gcloud enable --account="json-todd@json-todd.iam.gserviceaccount.com" cloudfunctions.googleapis.com pubsub.googleapis.com etc.
I have the client's service account json and I can auth activate-service-account the service account but I can't enable because I don't have permissions - but how would the client enable APIs it specifically for a service account on GCP without having to install/initialise/auth the service account in the way above?我有客户的服务帐户 json,我可以auth activate-service-account服务帐户,但我无法启用,因为我没有权限 - 但是客户端如何在没有权限的情况下专门为 GCP 上的服务帐户启用 API以上述方式安装/初始化/授权服务帐户?
1 个解决方案
解决方案1
2 已采纳 2020-12-23 19:21:35
There is a misunderstanding I think.我认为有一个误解。 The API are enabled for a project, not for a service account (or a user account). API 是为项目启用的,而不是为服务帐户(或用户帐户)启用的。 Then, you have permissions to access to the API that you have activated.然后,您有权访问您已激活的 API。
If you have a service account, on a new project, without the API enable, there is no issue to grant this service account with the roles/serviceusage.serviceUsageAdmin .如果您有一个服务帐户,在一个新项目中,没有 API 启用,则使用roles/serviceusage.serviceUsageAdmin serviceusage.serviceUsageAdmin 授予此服务帐户没有问题。 Like this, the service account will be able to activate the API on the project, possibly, ALL the API. BUT if the service account has only the permission to access to BigQuery (for example) and the service account activate the compute engine API, it won't be able to access to VM, even if, the API is enabled.像这样,服务帐户将能够激活项目上的 API,可能是所有 API。但是如果服务帐户只有访问 BigQuery 的权限(例如)并且服务帐户激活计算引擎 API,即使启用了 API,它也无法访问 VM。
At the opposite, if the API are already enabled on the project, the service account doesn't need to have the roles/serviceusage.serviceUsageAdmin role granted, only the permission to use the activated API.反之,如果API已经在项目上启用,则服务账号不需要授予roles/serviceusage.serviceUsageAdmin角色,只需要使用激活的API的权限即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.