On GCP, how to grant access to a service account in another project?
Question
I have a compute instance in project project-b , and a separate project project-a . The instance in project-b needs to access project-a using a project-a service account.
1 answers
solution1
0 2019-10-02 23:31:54
In project-a :
- Create the service account. Suppose its name is
project-a-service-account@project-a.iam.gserviceaccount.com. - Grant the service account very specific, limited roles
- Create and download a key for the service account. Name it
key.json.
In project-b :
- Create a compute instance
- SSH to the instance. Type all the commands that follow into this compute instance SSH shell.
- Upload key file
key.jsonto the instance. If you are using the Google Cloud Console SSH window, you can do this using Upload in the gear icon menu in the upper right. Activate the service account:
gcloud auth activate-service-account project-a-service-account@project-a.iam.gserviceaccount.com --key-file key.jsonReinitialize:
gcloud init- The
gcloud initcommand will offer to re-initialize the current configuration, or create a new one. It might be nice to create a new one, but it's up to you. - Choose account
project-a-service-account@project-a.iam.gserviceaccount.com
- The
Now, this instance in project-b can act as the service account in project-a . For example, if the service account has compute.instances.create permission, you can create an instance in project-a :
gcloud compute instances create new-instance --project project-a
Administrators of project-a can revoke this access by revoking the keys for service account project-a-service-account@project-a.iam.gserviceaccount.com .
Google has a super fast-talking demo showing this .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.