堆栈内存溢出
  简体   繁体   English

将项目从“无组织”迁移到组织时,是否会转移 IAM 策略?

[英]Are IAM policies transferred when migrating a project from "No organization" to an organization?

 原文  2022-11-26 06:35:51       google-cloud-platform/ google-cloud-iam

问题描述

I can't seem to find an answer to this question.我似乎找不到这个问题的答案。 I reviewed the special considerations for migrating "No organization" projects but they don't touch on this.我回顾了迁移“无组织”项目的特殊注意事项,但他们没有涉及这一点。

The migration guide says for any migration:迁移指南针对任何迁移说:

Any policy that is applied directly to the project will still be attached after the migration is complete.直接应用于项目的任何策略在迁移完成后仍将附加。 Applying policies directly to the project is a good way to verify that the correct policies are applied from the moment the move is complete.将策略直接应用于项目是验证从移动完成那一刻起是否应用了正确策略的好方法。

Are the IAM policies of "No organization" projects implicitly "applied directly to the project"? “无组织”项目的 IAM 政策是否隐含地“直接应用于项目”?

1 个解决方案

解决方案1
 1 已采纳  2022-11-26 08:33:57

As @john hanley suggested, due to inheritance, the new organization might affect existing IAM policies.正如@john hanley 建议的那样,由于 inheritance,新组织可能会影响现有的 IAM 策略。

Google Cloud offers IAM , which lets you assign granular access to specific Google Cloud resources and prevents unwanted access to other resources. Google Cloud 提供IAM ,它允许您分配对特定 Google Cloud 资源的精细访问权限,并防止对其他资源进行不必要的访问。 IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies on the resources. IAM 允许您通过在资源上设置 IAM 策略来控制谁(用户)对哪些资源具有何种访问权限(角色)。

You can set an IAM policy at the organization level , the folder level , the project level , or (in some cases) the resource level.您可以在组织级别文件夹级别项目级别或(在某些情况下)资源级别设置 IAM 策略。 Resources inherit the policies of the parent resource.资源继承父资源的策略。 If you set a policy at the organization level, it is inherited by all its child folders and project resources, and if you set a policy at the project level, it is inherited by all its child resources.如果您在组织级别设置策略,它会被其所有子文件夹和项目资源继承,如果您在项目级别设置策略,它会被其所有子资源继承。

The effective policy for a resource is the union of the policy set on the resource and the policy inherited from its ancestors.资源的有效策略是资源上设置的策略与从其祖先继承的策略的联合。 This inheritance is transitive.这个 inheritance 是可传递的。 In other words, resources inherit policies from the project, which inherit policies from the organization resource.换句话说,资源从项目继承策略,而项目从组织资源继承策略。 Therefore, the organization-level policies also apply at the resource level.因此,组织级别的策略也适用于资源级别。

Refer to this document for more information.有关详细信息,请参阅此文档

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何将 GCP 项目从一个组织迁移到另一个组织 - How to migrate a GCP Project from one organization to other Google Cloud Platform - 将“无组织”的 firebase 项目移至“组织”时出错 - Google Cloud Platform - Error moving firebase project with "no organization" to an "organization" GCP-IAM - 如何授予对组织中所有服务帐户的访问权限? - GCP-IAM - How to grant access to all service account in organization? 使用 IAM 策略创建堆栈时出现 InsufficientCapabilitiesException [CAPABILITY_NAMED_IAM] - InsufficientCapabilitiesException [CAPABILITY_NAMED_IAM] when creating a stack with IAM policies Azure Devops - 在不分配项目集合管理员的情况下将用户添加到组织 - Azure Devops - Add users to organization without assigning project collection administrator 如何在 Prometheus 中从我的 GCP 组织导出 SLO? - How to export SLO's from my GCP organization in Prometheus? 如何从 SDK 访问组织级别的“gcloud 资产”? - How to access "gcloud asset" at an organization level from SDK? 从aws中获取给定组织的所有子账户列表 - get list of all sub-accounts from given organization in aws 我如何导出(到文件)所有在 GCP 组织中每个项目具有特定角色的人? - How do I export(to a file) all people with a certain role per project in an organization in GCP? Lambda 定价仅限于帐户或组织? - Lambda pricing limited to account or organization?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM