[英]How Google Cloud authenticates default service accounts?
I wonder how Google authenticates default service accounts in user's projects.我想知道 Google 如何验证用户项目中的默认服务帐户。
For instance, I have default service account for compute in my project but it has no associated means for impersonation or authentication (no IAM policy bindings, like iam.ServiceAccounts.getAccessToken, and no keys):例如,我的项目中有用于计算的默认服务帐户,但它没有关联的模拟或身份验证方式(没有 IAM 策略绑定,如 iam.ServiceAccounts.getAccessToken,也没有密钥):
$ gcloud iam service-accounts list
DISPLAY NAME EMAIL DISABLED
Compute Engine default service account 502923505097-compute@developer.gserviceaccount.com False
$ gcloud iam service-accounts get-iam-policy 502923505097-compute@developer.gserviceaccount.com
etag: ACAB
There are some bindings inherited from project level.有一些从项目级别继承的绑定。 For example there is binding for Compute Engine Service Agent:例如 Compute Engine Service Agent 的绑定:
$ gcloud projects get-iam-policy cedar-lexicon-312307
bindings:
- members:
- serviceAccount:service-502923505097@compute-system.iam.gserviceaccount.com
role: roles/compute.serviceAgent
Do I understand correctly that Compute Engine Service Agent is authorised to impersonate any service account in my project and is used to impersonate compute's default service account?我是否正确理解 Compute Engine 服务代理有权模拟我的项目中的任何服务帐户并用于模拟计算的默认服务帐户? Are there any other means (may be hidden to users) by which Google Services impersonate default service accounts?谷歌服务是否有任何其他方式(可能对用户隐藏)模拟默认服务帐户?
You can see in the documentation the roles of the service agent.您可以在文档中看到服务代理的角色。 It's Google Managed service account, granted on your project, to let google automation services interact with your project.它是授予您项目的 Google 托管服务帐户,可让 Google 自动化服务与您的项目进行交互。 You can remove permission on these service account service agent to remove the permission to Google Platform product to interact with your project.您可以移除这些服务帐户服务代理的权限,以移除 Google Platform 产品与您的项目进行交互的权限。 Use at your own risk!使用风险自负!
If you want to roll back your test, you can try to disable and then enable the related API.如果您想回滚您的测试,您可以尝试禁用然后启用相关的 API。
You can also add manually the service account service agent email to your project, with the correct role.您还可以使用正确的角色将服务帐户服务代理 email 手动添加到您的项目中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.