使用服务帐户登录到Google计算引擎 [英] Logging into google compute engine with a service account

问题描述

我今天整天都在阅读有关stackexchange的文档和问题，以尝试使用服务帐户登录到计算引擎，但是却无处可寻.

I have spent the entire day today reading documentations and questions on stackexchange on trying to use service account to logon to a compute engine but have got no where.

我是Google Cloud的新手，请原谅我的知识.

I am new to google cloud, so pardon my knowledge.

我们正在尝试在Google计算引擎上设置长期运行的服务.我们希望该服务作为系统帐户运行，而不是在单个帐户上运行，以便允许整个团队(而不是特定用户)的故障排除特权.我们认为GCP的服务帐户应该能够完成此任务，但是我们还无法作为服务帐户登录到计算引擎.我们按照以下步骤进行了尝试-

We are trying to setup a long running service on a google compute engine. We want the service to be run as a system account but not on individual account so as to allow troubleshooting privileges across the team but not specific users. We thought that service account of GCP should be able to accomplish this but we havent been able to get to logon to a compute engine as a service account. We took the following steps to try this out -

1. 创建服务帐户，并将serviceaccountuser权限授予团队.还要为分配给团队的服务帐户创建rsa密钥.
2. 使用gcloud auth激活服务帐户切换到服务帐户
3. 将gcloud初始化为服务帐户和设置配置
4. 使用gcloud compute ssh.

我们希望能够以服务帐户身份登录该实例，因为我们在登录之前已切换了身份.但是我们没有得到理想的效果.

We hoped to be able to logon to the instance as the service account since we switched identity before logging on. But we are not getting the desired effect.

问题-

1. 服务帐户是否可以实际用于登录计算引擎?
2. 如果不是，那么配置服务帐户以在GCP上创建VM时运行的目的是什么.
3. 如果没有，使用每个人都可以访问的系统帐户在计算引擎上运行服务的正确方法是什么?
4. 如果是，我们会缺少什么?

非常感谢您提前解决了这一困惑，

Thanks a lot for solving the confusion in advance,

推荐答案

该服务帐户允许Compute Engine实例访问其他Google API.例如，该实例可能需要访问存储存储桶中的私有内容或连接到数据存储.请参见 https://cloud.google.com/iam/docs/service-accounts

The service account allows the Compute Engine instance to access other Google APIs. For example, the instance might need to access private content from Storage buckets or connect to a Datastore. See https://cloud.google.com/iam/docs/service-accounts

为了使您的团队成员(ssh)可以访问计算引擎实例，您可以通过添加其Google帐户将其添加为项目的成员.指定他们的访问级别，以便他们只能列出和ssh进入，而不能创建或删除.我认为您想要具有计算操作系统登录"权限的新角色.他们也不需要设置帐单.请参见 https://cloud.google.com/iam/docs/granting -changing-revoking-access

In order to give your team members (ssh) access to a compute engine instance, you add them as members to the project by adding their Google accounts. Specify their level of access so they can only list and ssh in, but not create or delete. I think you want a new role with "Compute OS Login" permission. They don't need billing set up either. See https://cloud.google.com/iam/docs/granting-changing-revoking-access

这篇关于使用服务帐户登录到Google计算引擎的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！