使用gcloud重新验证服务帐户时会发生什么? [英] What happens when re-authenticating the service account with gcloud?

问题描述

我听说，如果服务帐户具有较高的特权，但是访问范围受到限制，并且我们需要以某种方式对没有OAuth的服务进行身份验证，那么我们可以使用我们拥有的密钥对服务帐户进行重新身份验证(假设我们知道如何).

I have heard that if the service account is having high privileges, but access scopes are restrictive, and we need to somehow authenticate to services without OAuth, then we can re-authenticate the service account with the keys that we have (assuming we got somehow).

是真的，重新验证服务帐户可以为我们提供云平台范围吗?

So is it true, re-authenticating the service account can give us cloud-platform scopes?

gcloud auth激活服务帐户--key-file key.json

推荐答案

范围是OAuth权限机制.Google Cloud首先以"Scopes"作为开发IAM之前的许可方法.

Scopes are an OAuth permission mechanism. Google Cloud first started with "Scopes" as the permission method before IAM was developed.

服务帐户不会以您管理的方式使用范围.服务帐户使用IAM角色进行权限控制.您可以在编写低级代码时指定作用域，但这不是必需的或不建议的.

Service Accounts do not use scopes in a way that you manage unless you are writing your own authorization code. Service Accounts use IAM Roles for permission control. You can specify scopes when writing low-level code, but that is not necessary or recommended.

Google Compute Engine最初使用OAuth范围获取权限，但仍提供该功能.Compute Engine范围限制了分配给分配给Compute Engine的服务帐户的权限.范围不会为服务帐户添加权限.

Google Compute Engine originally used OAuth scopes for permissions and still offers that feature. Compute Engine Scopes limit the permissions assigned to the service account assigned to Compute Engine. Scopes do not add permissions to the service account.

对于以下命令"

gcloud auth activate-service-account --key-file key.json

如果在台式机或Compute Engine上运行此命令，则会告诉CLI和使用SDK开发的工具使用指定​​的服务帐户进行授权.范围云平台"不限于此.在这里没关系.分配给服务帐户的IAM角色确定权限.您分配给实例的作用域不被该命令使用.仅位于Compute Engine实例元数据中的凭据(原始凭据)继续受到作用域的影响.

If you run this command on your desktop or in Compute Engine, you are telling the CLI and tools developed with the SDK to use the specified service account for authorization. The scope "cloud-platform" does not matter here. The IAM roles assigned to the service account determine permissions. The scopes that you assigned to the instance are not used by this command. Only the credentials located in the Compute Engine instance metadata (the original credentials) continue to be affected by scopes.

摘要:

范围是旧版授权机制.IAM是首选且必需的身份验证方法，这意味着您必须通过IAM角色设置权限.范围无法为您做到这一点.您可以将两者混合使用，但我不建议这样做.使用范围云平台并通过IAM角色控制授权.

Scopes are a legacy authorization mechanism. IAM is the preferred and required authentication method meaning you must set permissions via IAM Roles. Scopes cannot do that for you. You can mix the two but I do not recommend that. Use the scope cloud-platform and control authorization via IAM Roles.

范围为云平台"的服务帐户而且没有IAM角色没有权限.

A service account with the scope "cloud-platform" and no IAM Roles has NO permissions.

这篇关于使用gcloud重新验证服务帐户时会发生什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！