如何只允许创建服务器的开发人员访问GCE? [英] How do I allow access to GCE to only the dev that created the server?
问题描述
现在,只要具有GCE访问权限,每个人都可以访问GCE中的任何服务器. gcloud comput ssh
命令可以ssh到任何服务器中.
Right now everyone can access absolutely any server in GCE so long as they have GCE access. The gcloud comput ssh
command can ssh into any server.
我如何确保只有创建服务器的人可以访问?
How do I make sure that only the person that created the server has access?
推荐答案
启用操作系统登录项目中的更多实例, 这些实例仅接受来自具有以下权限的用户帐户的连接 您的项目或组织中必要的IAM角色:
After you enable OS Login on one or more instances in your project, those instances accept connections only from user accounts who have the necessary IAM roles in your project or organization:
例如,您可以使用 请按照以下步骤操作:
As an example, you might grant instance access to your users with the following process:
-
授予必要的实例访问角色给用户.用户必须具有以下角色:
Grant the necessary instance access roles to the user. Users must have the following roles:
-
iam.serviceAccountUser
角色. - 以下登录角色之一:
-
compute.osLogin
角色,该角色不授予管理员权限 -
compute.osAdminLogin
角色,授予管理员权限
- The
iam.serviceAccountUser
role. - One of the following login roles:
- The
compute.osLogin
role, which does not grant administrator permissions - The
compute.osAdminLogin
role, which grants administrator permissions
但是请注意,并非所有GCE映像家族都支持OS登录:
But note that not all GCE image families have OS Login support:
以下图像系列尚不支持OS登录:
The following image families do not yet support OS Login:
- 所有项目coreos-cloud(CoreOS)映像系列
- 项目suse-cloud(SLES)映像系列sles-11
- 所有Windows Server和SQL Server映像家族
- All project coreos-cloud (CoreOS) image families
- Project suse-cloud (SLES) image family sles-11
- All Windows Server and SQL Server image families
这篇关于如何只允许创建服务器的开发人员访问GCE?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
- The
-