如何授予服务帐户访问两个项目的权限? [英] How to give service account access to two projects?
问题描述
使用Google Cloud,存在一个可查询两个项目的BigQuery View表.
Using Google Cloud, there exists a BigQuery View table that queries two projects.
但是,在视图所在的项目上,我们希望从Airflow/Composer对其执行查询.目前它失败并显示403.
However, on the project where the view is located, we wish to run a query against it from Airflow/Composer. Currently it fails with a 403.
AFAIK将使用默认的作曲家服务帐户-但是它无权访问视图sql中使用的第二个项目.
AFAIK it will use the default composer service account - however it doesn't have access to the 2nd project used in the sql of the view.
如何授予作曲家的服务帐户访问第二个项目的权限?
How do I give composer's service account access to the second project?
推荐答案
考虑服务帐户(例如用户帐户):您拥有在不同项目和组件上授权的用户电子邮件.与服务帐户电子邮件完全相同.
Think about a service account like a user account: you have a user email that you authorize on different project and component. Exactly the same thing with the service account email.
服务帐户属于一个项目.用户帐户属于域名/组织.最后没有真正的区别.
The service account belongs to a project. An user account belongs to a domain name/organisation. No real difference at the end.
因此,您可以像使用任何用户帐户一样使用服务帐户电子邮件:
So, you can use a service account email like any user accounts:
- 任何项目中的授权授权
- 将其添加到Google网上论坛
- 甚至授予它GSuite文档(Sheet,Docs,Slides等)的查看者或编辑者角色,使其可以访问和阅读/更新这些文档!像任何用户一样!
编辑
有了Airflow,您可以定义的连接和默认连接.您可以在DAG中使用此连接,从而使用所需的服务帐户.
With Airflow, you can defined connexions and a default connexion. You can use this connexion in your DAG and thus use the service account that you want.
这篇关于如何授予服务帐户访问两个项目的权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
