使用服务帐户进行跨项目管理 [英] Cross project management using service account
问题描述
我需要一个可以访问多个项目的服务帐户,但是我根本无法找到实现此目的的方法.似乎服务帐户始终绑定到项目.
I need a service account that can access multiple projects, but I have not been able to find a way to do this at all. It seems that a service account is always bound to a project.
另一种选择是在单独的项目上创建一个服务帐户,然后使用gcloud auth activate-service-account --key-file SOME_FILE.json
对其进行身份验证,但是这里的问题是,似乎无法自动创建服务帐户.
Another option is to create a service account on the separate projects and then authenticate them using gcloud auth activate-service-account --key-file SOME_FILE.json
, but the problem here is that it does not seem possible to automate the creation of service accounts.
那么问题就来了:是否可以创建跨项目服务帐户或自动创建服务帐户?更好的是,我可以同时做这两者
So the question is then: Is it possible to create a cross project service account or to automate the creation of a service accounts? Even better would be if I could do both
推荐答案
您应该能够将服务帐户添加到另一个项目:
You should be able to add a service account to another project:
-
在Cloud Console中的项目A中创建第一个服务帐户.使用
gcloud auth activate-service-account
激活它.
在Cloud Console中,导航到项目B.找到"IAM& admin">"IAM"页面.点击添加"按钮.在新成员"字段中,粘贴服务帐户的名称(它看起来像一个奇怪的电子邮件地址),并为其指定适当的角色.
In the Cloud Console, navigate to project B. Find the "IAM & admin" > "IAM" page. Click the "Add" button. In the "New members" field paste the name of the service account (it should look like a strange email address) and give it the appropriate role.
在将--project
设置为项目B的情况下运行gcloud
命令.它们应该成功(我刚刚手动验证了该命令是否有效).
Run gcloud
commands with --project
set to project B. They should succeed (I just manually verified that this will work).
在无法解决所有安全问题之前,我们一直在自动创建服务帐户.
Automatic creation of service accounts is something that we're hesitant to do until we can work through all of the security ramifications.
这篇关于使用服务帐户进行跨项目管理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!