使Cloud Storage存储桶仅可由特定服务帐户访问 [英] Making a Cloud Storage bucket accessible only by a certain service account

问题描述

我有一个在GCP上创建的存储桶.我按照此处描述的说明创建了存储分区( https://cloud.google.com/存储/文档/创建存储区).另外，我使用统一的存储桶级访问控制创建了它.

I have an storage bucket that I created on GCP. I created the bucket following the instructions described here (https://cloud.google.com/storage/docs/creating-buckets). Additionally, I created it using uniform bucket-level access control.

但是，我希望在某个服务帐户下运行的实例可以访问存储桶中的对象.虽然，我不知道该怎么做.在权限设置中，看不到如何为读写访问指定服务帐户.

However, I want the objects in the bucket to be accessible by instances running under a certain service account. Although, I do not see how to do that. In the permissions settings, I do not see how I can specify a service account for read-write access.

推荐答案

要创建服务帐户，请在Cloud Shell中运行以下命令:

To create a service account, run the following command in Cloud Shell:

gcloud iam service-accounts create storage-sa --display-name "storage service account"

您可以向服务帐户授予角色，以便该服务帐户可以对GCP项目中的资源执行特定的操作.例如，您可以将storage.admin角色授予服务帐户，以便它可以控制Google Cloud Storage中的对象和存储桶.

You can grant roles to a service account so that the service account can perform specific actions on the resources in your GCP project. For example, you might grant the storage.admin role to a service account so that it has control over objects and buckets in Google Cloud Storage.

gcloud projects add-iam-policy-binding <Your Project ID> --member <Service Account ID> --role <Role You want to Grant>

授予角色后，您可以在创建实例时选择此服务帐户.

Once role is granted you can select this service account while creating the instance.

或者，要通过Google Cloud Console执行此操作，请参见

Alternatively, to do this via Google Cloud Console see Creating and enabling service accounts for instances

这篇关于使Cloud Storage存储桶仅可由特定服务帐户访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！