如何只允许创建服务器的开发人员访问GCE? [英] How do I allow access to GCE to only the dev that created the server?

问题描述

现在，只要具有GCE访问权限，每个人都可以访问GCE中的任何服务器. gcloud comput ssh命令可以ssh到任何服务器中.

Right now everyone can access absolutely any server in GCE so long as they have GCE access. The gcloud comput ssh command can ssh into any server.

我如何确保只有创建服务器的人可以访问?

How do I make sure that only the person that created the server has access?

推荐答案

可以基于 GCE IAM角色通过操作系统登录:

启用操作系统登录项目中的更多实例， 这些实例仅接受来自具有以下权限的用户帐户的连接 您的项目或组织中必要的IAM角色:

After you enable OS Login on one or more instances in your project, those instances accept connections only from user accounts who have the necessary IAM roles in your project or organization:

例如，您可以使用 请按照以下步骤操作:

As an example, you might grant instance access to your users with the following process:

1. 授予必要的实例访问角色给用户.用户必须具有以下角色:

1. Grant the necessary instance access roles to the user. Users must have the following roles:

• iam.serviceAccountUser角色.
• 以下登录角色之一:
  • compute.osLogin角色，该角色不授予管理员权限
  • compute.osAdminLogin角色，授予管理员权限
  • The iam.serviceAccountUser role.
  • One of the following login roles:
    • The compute.osLogin role, which does not grant administrator permissions
    • The compute.osAdminLogin role, which grants administrator permissions

    但是请注意，并非所有GCE映像家族都支持OS登录:

    But note that not all GCE image families have OS Login support:

    以下图像系列尚不支持OS登录:

    The following image families do not yet support OS Login:

    • 所有项目coreos-cloud(CoreOS)映像系列
    • 项目suse-cloud(SLES)映像系列sles-11
    • 所有Windows Server和SQL Server映像家族
    • All project coreos-cloud (CoreOS) image families
    • Project suse-cloud (SLES) image family sles-11
    • All Windows Server and SQL Server image families

    这篇关于如何只允许创建服务器的开发人员访问GCE?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！