如何授予实习生访问“VM 实例”的权限? 使用@gmail.com email 地址(GCP)
[英]How to give access to "VM Instances" to the intern? with @gmail.com email address (GCP)
问题描述
I got an developer intern.
我有一个开发实习生。 I need him to access GCP paid VM Instance I created so he can start developing.我需要他访问我创建的 GCP 付费 VM 实例,以便他可以开始开发。 He should have root access through sudo, and preferably his own username linux account so we can see his files when he clones repo's,installs services,etc.他应该通过 sudo 获得 root 访问权限,最好是他自己的用户名 linux 帐户,这样我们就可以在他克隆 repo、安装服务等时看到他的文件。
He should not: have access to modify instance, no access to change discs or instance size, no access to any other resource.他不应该:有权修改实例,无权更改磁盘或实例大小,无权访问任何其他资源。 Just ssh and root inside a vm.只是 ssh 和虚拟机中的 root。 His account is under his personal email abc..@gmail.com他的账户在他的个人账户下 email abc..@gmail.com
What exact permissions do I need to give him?我需要给他什么确切的权限?
a) I used the default service account, but I could switch it to project specific service account that will soon also run cloud functions. a) 我使用了默认服务帐户,但我可以将其切换到项目特定服务帐户,该帐户很快也会运行云功能。
b) For google employees, there should really be a guide/tour for "grant access" that allows people who have less then 10 vm instances follow it to grant access properly without delay or compromising security. b) 对于 google 员工,确实应该有一个“授予访问权限”的指南/导览,允许拥有少于 10 个 vm 实例的人按照它正确授予访问权限,而不会延迟或损害安全性。 He is unable to do paid work:(.他无法从事有偿工作:(。
Related:有关的:
- 52756755 (why does he need compute admin role for a developer, I need him only to develop and not maintain the instance) 52756755 (为什么他需要开发人员的计算管理员角色,我只需要他开发而不维护实例)
- 62925708 (why does the user need service account role? He does not need to be creating paid instances) 62925708 (为什么用户需要服务账户角色?他不需要创建付费实例)
- 49384500 (You do not have sufficient permissions to ssh into this instance) 49384500 (您没有足够的权限 ssh 进入此实例)
- do not have permission to ssh into this instance ( You do not have sufficient permissions to SSH into this instance. You need one of compute.instances.setMetadata, compute.projects.setCommonInstanceMetadata or compute.instances.osLogin (with OsLogin enabled) and iam.serviceAccounts.actAs. 没有权限 ssh 进入此实例(您没有足够的权限将 SSH 进入此实例。您需要 compute.instances.setMetadata、compute.projects.setCommonInstanceMetadata 或 compute.instances.osLogin(启用 OsLogin)和 iam 之一.serviceAccounts.actAs。
2 个解决方案
解决方案1
2 已采纳 2022-04-06 18:09:08
- If the person has @gmail.com domain then he is an external user and needs to be given external user permission.如果此人拥有@gmail.com 域,则他是外部用户,需要获得外部用户权限。 Go to IAM & Admin -> From the Project menu select All and click the top organization: Go 到 IAM & Admin -> 从 Project 菜单 select All 并单击顶部组织:
Add the Compute OS Login External User添加计算操作系统登录外部用户
- Now under the project Add the following:现在在项目下添加如下内容:
Add Project - Viewer添加项目 - 查看器
Add Compute Engine - Service Account User添加计算引擎 - 服务帐户用户
[optional]Add Compute Engine -Compute View [可选]添加计算引擎-计算视图
**although the Compute View is optional to just ssh, but it does help the developer/programmer/intern to know what they are running and recommend configuration changes when program is ready for golive. **虽然计算视图对于 ssh 是可选的,但它确实可以帮助开发人员/程序员/实习生了解他们正在运行什么,并在程序准备好上线时建议配置更改。
- And finally we need to give permission at the instance level.最后,我们需要在实例级别授予权限。 So go to Compute Engine -> VM Instances -> Permissions -> Add Principal -> " Compute OS Admin Login " if you want them to use sudo or if just a regular user "Compute OS Login"所以 go 到 Compute Engine -> VM Instances -> Permissions -> Add Principal -> “ Compute OS Admin Login ” 如果你想让他们使用 sudo 或者如果只是普通用户“Compute OS Login”
- Open the instance, click edit and enable OS-Login under Metadata.打开实例,单击编辑并在元数据下启用操作系统登录。 Add the following Key: enable-oslogin Value: TRUE添加以下项:enable-oslogin 值:TRUE
- Stop and start the instance.停止并启动实例。 You need it for permission to take effect.您需要它才能使许可生效。 During troubleshooting none of this worked until we restarted the instance, and magically fixed.在故障排除期间,这些都不起作用,直到我们重新启动实例并神奇地修复。
解决方案2
0 2022-04-05 16:56:47
If you need to manage user access to your Linux VM instances, you can use one of the following methods:如果您需要管理用户对您的 Linux VM 实例的访问权限,您可以使用以下方法之一:
- OS Login 操作系统登录
- Managing SSH keys in metadata 管理元数据中的 SSH 个键
- Temporarily grant a user access to an instance 临时授予用户访问实例的权限
To give a user the ability to connect to a VM instance using SSH without granting them the ability to manage Compute Engine resources, add the user's public key to the project, or add a user's public key to a specific instance.
More information about granting users SSH to VM instances can be found here .有关将用户 SSH 授予 VM 实例的更多信息,请参见此处。
Regarding your question about the roles required and why, here is more information about granting access to an organization using Cloud IAM roles.关于您关于所需角色及其原因的问题, 此处提供了有关使用 Cloud IAM 角色向组织授予访问权限的更多信息。
More information about Access control for users in Cloud compute Enginehere .有关云计算引擎中用户访问控制的更多信息,请点击此处。
About roles and permissions关于角色和权限
If you need your employee to be able to see the project you need to grant the access to the project according to your needs.如果您需要您的员工能够看到您需要根据您的需要授予项目访问权限的项目。
The basic roles are owner, editor and viewer.基本角色是所有者、编辑者和查看者。 Here you will find a more detailed explanation about roles and permissions using Cloud IAM to control the access for your project. 在这里,您将找到有关使用 Cloud IAM 控制项目访问权限的角色和权限的更详细说明。
And in this page you will find a complete list of the roles and permissions included in Cloud compute engine.在此页面中,您将找到云计算引擎中包含的角色和权限的完整列表。
On the other hand in this guide about setup OS login , the roles and permission required to complete the process are included.另一方面,在本指南中关于设置操作系统登录,包括完成该过程所需的角色和权限。 OS login is an option suitable to resolve your issue.操作系统登录是适合解决您的问题的选项。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.