GCP 限制服务帐户有条件访问单个实例
[英]GCP limit service account to have conditional access to a single instance
问题描述
I'd like to set up an instance schedule and apparently this requires the service account to have compute.instances.start/stop permissions.
我想设置一个实例计划,显然这需要服务帐户具有compute.instances.start/stop权限。 The only way to do this is to enable the service account to have admin privileges which adds a whole host of (in my case) unnecessary permissions that come associated with the role.做到这一点的唯一方法是使服务帐户具有管理员权限,这会添加与角色相关联的整个主机(在我的情况下)不必要的权限。
So I'd like to keep the default role as "Compute Engine Service Agent" and add the admin role with a condition that it only applies to a single VM.所以我想将默认角色保留为“计算引擎服务代理”,并添加管理员角色,条件是它只适用于单个虚拟机。 So I tried setting the condition as:所以我尝试将条件设置为:
resource.type == "compute.googleapis.com/Instance"
resource.name == "//compute.googleapis.com/projects/<project>/zones/<zone>/instances/<name>"
however I still get an IAM error when I try to apply the schedule.但是,当我尝试应用计划时,我仍然收到 IAM 错误。 Should this approach work, and what format does 'name' need to be?这种方法是否可行,“名称”需要采用什么格式?
Also what are the security risks of setting an unconditional role here?另外在这里设置无条件角色有哪些安全风险? The documentation basically says "set it" without any further qualification.该文档基本上说“设置它”而没有任何进一步的限定。
EDIT: This condition (above) doesn't seem to scope correctly at all, all VMs show that my service account has the admin role.编辑:这种情况(上图)似乎对 scope 完全不正确,所有虚拟机都显示我的服务帐户具有管理员角色。 It's like the resource.name is ignored.就像resource.name被忽略一样。
I can correctly set this role, scoped to a single VM, using the "Permissions" tab on the Compute Engine Instances page, but still two questions:我可以使用 Compute Engine Instances 页面上的“Permissions”选项卡正确设置此角色,范围为单个 VM,但仍有两个问题:
- It seems like the Compute Admin (beta) conditions aren't sufficient, even though they contain instance start/stop. Compute Admin (beta) 条件似乎还不够,即使它们包含实例启动/停止。 v1 does work though, when set via instance permissions.但是,当通过实例权限设置时,v1 确实有效。 What's the difference?有什么不同?
- How can I set the condition correctly as an IAM rule, rather than manually per instance?如何将条件正确设置为 IAM 规则,而不是按实例手动设置?
1 个解决方案
解决方案1
0 2022-08-26 16:40:03
A better approach would be to create a custom role with just the start/stop permissions and then bind that role to the Compute Engine Service Agent service account .更好的方法是创建一个仅具有启动/停止权限的自定义角色,然后将该角色绑定到Compute Engine Service Agent 服务帐户。
To create the custom role:创建自定义角色:
gcloud iam roles create Scheduler --project=$YOUR_PROJECT_ID \
--title=Scheduler \
--description="Schedule a VM instance to start/stop" \
--permissions=compute.instances.start,compute.instances.stop
And to bind the custom role to the Compute Engine Service Agent:并将自定义角色绑定到 Compute Engine 服务代理:
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:service-$PROJECT_NUMBER@compute-system.iam.gserviceaccount.com" \
--role="projects/$PROJECT_ID/roles/Scheduler"
This way you avoid the conditional part and just grant the start/stop permissions as I believe was your original intention.这样你就可以避免条件部分,只授予启动/停止权限,因为我相信这是你的初衷。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.