您如何在两个单独的Google Cloud Platform(GCP)项目中授予对资源的访问权限? [英] How do you grant access to resources across two separate Google Cloud Platform (GCP) projects?
问题描述
假设您有两个项目,ID = engine-project-1和storage-project-1.
Let's say you have two projects, IDs = engine-project-1 and storage-project-1.
engine-project-1具有一个基本的App Engine应用,该应用需要访问storage-project-1中存储桶中的图像文件.默认情况下,engine-project-1被拒绝访问storage-project-1
engine-project-1 has a basic App Engine app that needs access to image files in a bucket in storage-project-1. By default, engine-project-1 is denied access to storage-project-1
如何授予engine-project-1中的app-engine-service角色(engine-project-1@appspot.gserviceaccount.com)访问storage-project-1帐户中的存储角色(roles/storage.objectViewer)的权限?
How do you grant the app-engine-service role (engine-project-1@appspot.gserviceaccount.com) in engine-project-1 access to the storage role (roles/storage.objectViewer) in the storage-project-1 account?
推荐答案
用例-允许外部App Engine应用访问构建状态
在此示例中,在${SOURCE_PROJECT_ID}中运行的App Engine应用需要访问${GOOGLE_CLOUD_PROJECT}中的构建状态.
Use Case -- Allow an Outside App Engine App Access Build Status
For this example, the app engine app running in ${SOURCE_PROJECT_ID} needs to access build status in ${GOOGLE_CLOUD_PROJECT}.
使用为项目ID = ${GOOGLE_CLOUD_PROJECT}
This can easily be done using the cloud shell activated for the project id = ${GOOGLE_CLOUD_PROJECT}
gcloud projects add-iam-policy-binding $GOOGLE_CLOUD_PROJECT \
--member=serviceAccount:${SOURCE_PROJECT_ID}@appspot.gserviceaccount.com \
--role=roles/cloudbuild.builds.viewer \
