简体繁体 English

GCP：什么是 GKE 中的机器人服务帐户

[英]GCP: what is the Robot Service Account in GKE

原文 2022-06-10 14:32:19 4 1 kubernetes/ google-cloud-platform/ google-kubernetes-engine

I'm trying to improve my knowledge in GCP-GKE as a newbie and in the way to do that, I found out a little concept that I don't quite understand yet.作为一个新手，我正在努力提高我在 GCP-GKE 方面的知识，并且在这样做的过程中，我发现了一个我还不太了解的小概念。 In GKE, there is a Service Account called service-PROJECT_NUM@container-engine-robot.iam.gserviceaccount.com (where the PROJECT_NUM is the ID of our project) and after several hours googling, I couldn't find any article or definition about this stuff.在 GKE 中，有一个名为service-PROJECT_NUM@container-engine-robot.iam.gserviceaccount.com的服务帐户（其中PROJECT_NUM是我们项目的 ID），经过几个小时的谷歌搜索，我找不到任何文章或定义关于这个东西。 So could you guys please explain to me所以你们能向我解释一下吗

What is this Service Account ?这个服务帐户是什么？ How was it created (by who)?它是如何（由谁）创建的？
What is this thing for?这东西是干什么用的？ How important is it in GKE?它在 GKE 中有多重要？
What happens if we delete it ?如果我们删除它会发生什么？ Could we re-created it manually ?我们可以手动重新创建它吗？

In fact, I found out that in GCP, we have some Service Account that have a "robot" suffix: ...robot.iam.gserviceaccount.com/ (like @gcf-admin-robot.iam.gserviceaccount.com/ , @serverless-robot-prod.iam.gserviceaccount.com , etc).事实上，我发现在 GCP 中，我们有一些具有“机器人”后缀的服务帐户： ...robot.iam.gserviceaccount.com/ （如@gcf-admin-robot.iam.gserviceaccount.com/ ， @serverless-robot-prod.iam.gserviceaccount.com等）。 What could we say about this, please ?请问对此我们能说些什么？

If I misunderstand something, please, point it out for me, I really appreciate that.如果我误解了什么，请为我指出，我真的很感激。

Thank you guys !!!感谢你们！！！

1 个解决方案

Service Accounts aka "robots" contrast with user ("human") accounts and represent two forms of Google identity.服务帐户又名“机器人”与用户（“人类”）帐户形成对比，代表两种形式的 Google 身份。

NOTE Robots was the original name for Service Accounts and is a more colorful description of the intent of these accounts, to run software.注意机器人是服务帐户的原始名称，是对这些帐户意图运行软件的更生动的描述。

(Google) User accounts include consumer (Gmail) eg you@gmail.com and you@employee.com (Workspace) accounts. (Google) 用户帐户包括消费者 (Gmail) 帐户，例如 you@gmail.com 和 you@employee.com (Workspace) 帐户。 User accounts are used by humans to interact with Google services and must be used (or a suitable delegate) to acccess user-owned content such as Workspace docs, sheets etc.人们使用用户帐户与 Google 服务进行交互，并且必须使用（或合适的代理人）访问用户拥有的内容，例如 Workspace 文档、工作表等。

Software ("robots") generally should run as a Service Account not as a User account.软件（“机器人”）通常应作为服务帐户而不是用户帐户运行。 In part, you can't easily run software using User accounts because the User OAuth flow is 3-legged and requires interacting with an OAuth Consent Screen to permit an app access to data.在某种程度上，您无法使用用户帐户轻松运行软件，因为用户 OAuth 流程是三足的，并且需要与 OAuth 同意屏幕交互以允许应用程序访问数据。

There are two flavors of Service Account: Google-created|managed and User-created|managed.服务帐户有两种风格：Google-created|managed 和 User-created|managed。 The difference is essentially the owner.区别本质上是所有者。 If you create applications, generally you should create a Service Account for each app and run the app using its Service Account.如果您创建应用程序，通常您应该为每个应用程序创建一个服务帐户并使用其服务帐户运行应用程序。

User-managed Service Accounts take the form {something}@{project}.iam.gserviceaccount.com where you get to define the value of {something} and the Google Project in which the Service Account is created (the project that owns the Service Account) is represented by {project} (actually the Project ID).用户管理的服务帐户采用{something}@{project}.iam.gserviceaccount.com的形式，您可以在其中定义{something}的值以及创建服务帐户的 Google 项目（拥有服务的项目Account）由{project} （实际上是项目 ID）表示。

When Google provides app functionality, it also creates Service Accounts and often, Google "binds" these Service Accounts to your projects that use them in addition to defining the role that the Service Account has in your project.当 Google 提供应用程序功能时，它还会创建服务帐户，并且通常，除了定义服务帐户在您的项目中的角色之外，Google 还会将这些服务帐户“绑定”到使用它们的项目。

Google-managed Service Accounts take the form {something}@{label}.iam.gserviceaccount.com . Google 管理的服务帐户采用{something}@{label}.iam.gserviceaccount.com形式。 Unlike User-managed Service Accounts, Google uses more descriptive labels ( {label} ) to help explain the role of the Service Account.与用户管理的服务帐户不同，Google 使用更具描述性的标签 ( {label} ) 来帮助解释服务帐户的角色。

NOTE With Google-managed Service Accounts {something} often includes the Project Number (not ID) of (your!) project for which the Google-managed account has been created.注意对于 Google 管理的服务帐户， {something}通常包含已为其创建 Google 管理的帐户的（您的！）项目的项目编号（而不是 ID）。

You cannot delete Google-managed Service Accounts because you(r Google account) does not own the Service Account.您无法删除 Google 管理的服务帐户，因为您（Google 帐户）不拥有该服务帐户。

You can (but should not ) delete the role binding between one of your projects and a Google-managed Service Account.您可以（但不应）删除您的项目之一与 Google 管理的服务帐户之间的角色绑定。 It may be possible for you to revert (recreate) the binding but you may not have permission to do this.您可以恢复（重新创建）绑定，但您可能无权执行此操作。