您如何在两个单独的Google Cloud Platform(GCP)项目中授予对资源的访问权限? [英] How do you grant access to resources across two separate Google Cloud Platform (GCP) projects?

查看:159
本文介绍了您如何在两个单独的Google Cloud Platform(GCP)项目中授予对资源的访问权限?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

假设您有两个项目,ID = engine-project-1storage-project-1.

Let's say you have two projects, IDs = engine-project-1 and storage-project-1.

engine-project-1具有一个基本的App Engine应用,该应用需要访问storage-project-1中存储桶中的图像文件.默认情况下,engine-project-1被拒绝访问storage-project-1

engine-project-1 has a basic App Engine app that needs access to image files in a bucket in storage-project-1. By default, engine-project-1 is denied access to storage-project-1

如何授予engine-project-1中的app-engine-service角色(engine-project-1@appspot.gserviceaccount.com)访问storage-project-1帐户中的存储角色(roles/storage.objectViewer)的权限?

How do you grant the app-engine-service role (engine-project-1@appspot.gserviceaccount.com) in engine-project-1 access to the storage role (roles/storage.objectViewer) in the storage-project-1 account?

推荐答案

用例-允许外部App Engine应用访问构建状态

在此示例中,在${SOURCE_PROJECT_ID}中运行的App Engine应用需要访问${GOOGLE_CLOUD_PROJECT}中的构建状态.

Use Case -- Allow an Outside App Engine App Access Build Status

For this example, the app engine app running in ${SOURCE_PROJECT_ID} needs to access build status in ${GOOGLE_CLOUD_PROJECT}.

使用为项目ID = ${GOOGLE_CLOUD_PROJECT}

This can easily be done using the cloud shell activated for the project id = ${GOOGLE_CLOUD_PROJECT}


gcloud projects add-iam-policy-binding $GOOGLE_CLOUD_PROJECT \
--member=serviceAccount:${SOURCE_PROJECT_ID}@appspot.gserviceaccount.com \
--role=roles/cloudbuild.builds.viewer \

查看全文

相关文章
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆