如何在GCP上授予对单个计算实例的访问权限? [英] How to give access to single Compute Instance on GCP?
问题描述
曾经试图弄清楚这一点,但到目前为止还没有运气.与AWS相比难以实现.
Been trying to figure this out but no luck thus far. Suprisingly difficult to achieve when compared to AWS.
我有一个Google Cloud Platform(GCP)项目,其中运行着多个计算实例和其他服务.
I have a Google Cloud Platform (GCP) project with multiple Compute Instances and other services running.
我需要授予对单个计算实例的超级用户访问权限,而无需向外部开发团队提供任何其他服务.
I need to give root access to a single compute instance but not any other service to an external development team.
在"Compute Engine"视图中,当我选择实例并将用户添加为Compute Admin(对所有Compute Engine资源的完全控制权)时,他仍然不能ssh进入实例.
In the "Compute Engine" view when I select the instance and add the user as Compute Admin (Full control of all Compute Engine resources) but he still cannot ssh into the instance.
尝试#1:
出现错误:需要compute.instance.get权限."
Got error: "Require compute.instance.get permission."
因此,我去给该用户一个包含该权限的角色.
So I went and gave that user a Role which included that permission.
尝试#2:
出现错误用户无权访问服务帐户..."
Got error "User does not have access to service account..."
问题#1 为了让角色可以访问GCP中的单个计算实例,到底需要做什么?
Questions #1 What on earth needs to be done to just give a role access to single Compute Instance in GCP?
在AWS上,可以给特定的角色提供单个资源访问权限,但是这里确实是这种情况.
On AWS there is a specific Role that can be given a single resource access but this does seem to be the case here.
问题#2 另外,如果"Compute Engine"视图中的权限"右侧栏实际上没有提供任何权限,它的用途是什么.
Questions #2 Also what is the purpose of the "Permissions" right sidebar in "Compute Engine" view if that doesn't actually give any permissions.
谢谢!
推荐答案
我遇到了同样的问题,并找到了解决方案.我会尽力回答您的问题:
I had the same issue and found the solution. I´ll try to answer your questions:
问题1:到底该如何做才能让角色访问GCP中的单个计算实例?
Question #1: What on earth needs to be done to just give a role access to single Compute Instance in GCP?
您需要向用户授予这些权限:
You need to grant the user these permissions:
1-在IAM主页中, https://console. cloud.google.com/iam-admin/iam?project=your_project 授予用户计算查看器"和服务帐户用户"角色.
1- In the main IAM page, https://console.cloud.google.com/iam-admin/iam?project=your_project grant the user the "Compute Viewer" and "Service Account User" roles.
2-在"VMs"页面中, https ://console.cloud.google.com/compute/instances?folder =& organizationId =& project = your_project ,选择一个或多个VM,然后向用户授予计算实例管理员(v1) 角色.
2- In the VMs page, https://console.cloud.google.com/compute/instances?folder=&organizationId=&project=your_project, select one or more VM´s and grant the user the "Compute Instance Admin (v1)" role.
现在,用户可以通过SSH进入虚拟机.
Now the user can SSH into the VM.
问题2:如果"Compute Engine"视图中的权限"实际上没有任何权限,那么它的目的是什么?
Questions #2 Also what is the purpose of the "Permissions" right sidebar in "Compute Engine" view if that doesn't actually give any permissions.
在GCP中,有项目级别和资源级别的权限. "Compute Engine"中右侧的权限"栏可以设置单个资源的权限.
In GCP there are Project-level and Resource-level permissions. The "Permissions" right sidebar in "Compute Engine" sets the permissions for a single resource.
希望这会有所帮助!
这篇关于如何在GCP上授予对单个计算实例的访问权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
