I have a compute instance in project project-b
, and a separate project project-a
. The instance in project-b
needs to access project-a
using a project-a
service account.
In project-a
:
project-a-service-account@project-a.iam.gserviceaccount.com
.key.json
. In project-b
:
key.json
to the instance. If you are using the Google Cloud Console SSH window, you can do this using Upload in the gear icon menu in the upper right.Activate the service account:
gcloud auth activate-service-account project-a-service-account@project-a.iam.gserviceaccount.com --key-file key.json
Reinitialize:
gcloud init
gcloud init
command will offer to re-initialize the current configuration, or create a new one. It might be nice to create a new one, but it's up to you.project-a-service-account@project-a.iam.gserviceaccount.com
Now, this instance in project-b
can act as the service account in project-a
. For example, if the service account has compute.instances.create
permission, you can create an instance in project-a
:
gcloud compute instances create new-instance --project project-a
Administrators of project-a
can revoke this access by revoking the keys for service account project-a-service-account@project-a.iam.gserviceaccount.com
.
Google has a super fast-talking demo showing this .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.