我需要使用哪些 IAM 权限来创建类似于默认计算引擎服务帐户的服务帐户?
[英]What IAM permissions do I need to use to create a Service Account similar to Default Compute Engine Service Account?
问题描述
I've deleted the default service account and it has been longer than 30 days.
我已删除默认服务帐户,并且已超过 30 天。 I don't know if it applies to all marketplace solutions, but the one that I want to use can't be launched without the compute engine default service account.我不知道它是否适用于所有市场解决方案,但如果没有计算引擎默认服务帐户,我想使用的解决方案将无法启动。
What are the IAM permissions I need to set to create a service account that has the same permissions as the compute engine default service account to launch VM from marketplace?我需要设置哪些 IAM 权限才能创建与计算引擎默认服务账户具有相同权限的服务账户以从市场启动 VM?
I tried Compute Admin, compute.imageUser and Compute Instance Admin, but to no avail.我尝试了 Compute Admin、compute.imageUser 和 Compute Instance Admin,但无济于事。
In addition to that, why does the marketplace solution require the default service account when it is recommended to disable/remove the default compute engine service account because of the editor role?除此之外,当由于编辑角色而建议禁用/删除默认计算引擎服务帐户时,为什么市场解决方案需要默认服务帐户?
2 个解决方案
解决方案1
1 2021-10-04 10:00:40
What is the compute engine default service account?什么是计算引擎默认服务帐户?
By default, the account is automatically granted the project editor role on the project and is listed in the IAM section of Cloud Console.默认情况下,该帐号会自动获得项目的项目编辑者角色,并列在 Cloud Console 的 IAM 部分中。 This service account is only deleted when the project is deleted.只有在删除项目时才会删除此服务帐号。 However, you can change the roles granted to this account, including revoking all access to your project.但是,您可以更改授予此帐户的角色,包括撤销对您的项目的所有访问权限。
解决方案2
0 2021-10-04 17:36:22
You can undelete a service account only if it is deleted fewer than 30 days ago.仅当服务帐户在 30 天内被删除时,您才能取消删除该服务帐户。
Instead of that, we can create a new service account and grant an 'Editor' role to it, as a default compute engine service account has the same role by default.取而代之的是,我们可以创建一个新的服务帐户并为其授予“编辑”角色,因为默认计算引擎服务帐户默认具有相同的角色。 Refer to Compute Engine default service account for more information.如需了解详情,请参阅Compute Engine 默认服务帐号。
To set the service account as the compute engine default service account on the project, we can use the following command :要将服务帐户设置为项目的计算引擎默认服务帐户,我们可以使用以下命令:
gcloud alpha compute project-info set-default-service-account
But since the command is in the 'alpha' launch stage , it is not available for everyone.但由于该命令处于“alpha”启动阶段,因此并非所有人都可以使用。
I could suggest the following options:我可以建议以下选项:
- Create a new project . 创建一个新项目。
- Request an Alpha feature that allows setting a new service account as the compute engine default service account.请求允许将新服务帐户设置为计算引擎默认服务帐户的 Alpha 功能。
If you have questions regarding an Alpha release or participation in an Alpha program, please reach out to sales .如果您对 Alpha 版发布或参与 Alpha 计划有任何疑问,请联系销售人员。 In this case a sales team needs to approve it.在这种情况下,销售团队需要批准它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.