您如何在两个单独的Google Cloud Platform(GCP)项目中授予对资源的访问权限? [英] How do you grant access to resources across two separate Google Cloud Platform (GCP) projects?
问题描述
假设您有两个项目,ID = engine-project-1
和storage-project-1
.
Let's say you have two projects, IDs = engine-project-1
and storage-project-1
.
engine-project-1
具有一个基本的App Engine应用,该应用需要访问storage-project-1
中存储桶中的图像文件.默认情况下,engine-project-1
被拒绝访问storage-project-1
engine-project-1
has a basic App Engine app that needs access to image files in a bucket in storage-project-1
. By default, engine-project-1
is denied access to storage-project-1
如何授予engine-project-1
中的app-engine-service角色(engine-project-1@appspot.gserviceaccount.com
)访问storage-project-1
帐户中的存储角色(roles/storage.objectViewer
)的权限?
How do you grant the app-engine-service role (engine-project-1@appspot.gserviceaccount.com
) in engine-project-1
access to the storage role (roles/storage.objectViewer
) in the storage-project-1
account?
推荐答案
用例-允许外部App Engine应用访问构建状态
在此示例中,在${SOURCE_PROJECT_ID}
中运行的App Engine应用需要访问${GOOGLE_CLOUD_PROJECT}
中的构建状态.
Use Case -- Allow an Outside App Engine App Access Build Status
For this example, the app engine app running in ${SOURCE_PROJECT_ID}
needs to access build status in ${GOOGLE_CLOUD_PROJECT}
.
使用为项目ID = ${GOOGLE_CLOUD_PROJECT}
This can easily be done using the cloud shell activated for the project id = ${GOOGLE_CLOUD_PROJECT}
gcloud projects add-iam-policy-binding $GOOGLE_CLOUD_PROJECT \
--member=serviceAccount:${SOURCE_PROJECT_ID}@appspot.gserviceaccount.com \
--role=roles/cloudbuild.builds.viewer \