(gcloud.beta.compute.scp) 无法将 SSH 密钥添加到实例元数据权限
(gcloud.beta.compute.scp) Could not add SSH key to instance metadata permissions
我想为我在 Google 云中 运行ning 的虚拟机进行自动部署,作为其中的一部分,我正在尝试使用 SCP 的服务帐户我的文件上传到 GCP 中的虚拟机,但不幸的是,我似乎无法弄清楚正确的权限应该是什么。
搜索文档后,我有一个具有这些权限的服务帐户:
- compute.instances.get
- compute.instances.setMetadata
- compute.projects.get
- compute.projects.setCommonInstanceMetadata
但是当我 运行 以下命令时,我得到以下输出:
+ ./google-cloud-sdk/bin/gcloud auth activate-service-account --key-file=./service-account.json
Activated service account credentials for: [scp-test@my-project.iam.gserviceaccount.com]
+ ./google-cloud-sdk/bin/gcloud beta compute scp hello.txt scp-test:c:/hello.txt --quiet --project=my-project --ssh-key-file=./.ssh/key --zone=us-east4-c
WARNING: The public SSH key file for gcloud does not exist.
WARNING: The private SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
Generating public/private rsa key pair.
Your identification has been saved in /Users/mac-user/Downloads/scp-test/.ssh/key.
Your public key has been saved in /Users/mac-user/Downloads/scp-test/.ssh/key.pub.
The key fingerprint is:
{OMMITED}
The key's randomart image is:
{OMMITED}
External IP address was not found; defaulting to using IAP tunneling.
Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.scp) Could not add SSH key to instance metadata:
- The user does not have access to service account '{OMMITED}-compute@developer.gserviceaccount.com'. User: 'scp-test@my-project.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
授予我的 scp-test 用户 iam.serviceAccountUser 角色有效,但这似乎是一种不好的做法,因为它使我的 scp-test 用户能够模拟默认帐户('{OMMITED}-compute@ developer.gserviceaccount.com'.),这似乎让它可以完全访问所有内容。
如何只授予它 SCP 所需的权限?
为了使用 SSH/SCP,您需要 Compute Engine 的实例管理员权限。
服务账户是指 gcloud 配置使用的服务账户 IAM 成员:scp-test@my-project.iam.gserviceaccount.com
您需要为服务帐户授予此角色:
roles/compute.instanceAdmin.v1
由于您的计算实例也配置为使用服务帐户,因此您的服务帐户也需要此角色:
roles/iam.serviceAccountUser
我想为我在 Google 云中 运行ning 的虚拟机进行自动部署,作为其中的一部分,我正在尝试使用 SCP 的服务帐户我的文件上传到 GCP 中的虚拟机,但不幸的是,我似乎无法弄清楚正确的权限应该是什么。
搜索文档后,我有一个具有这些权限的服务帐户:
- compute.instances.get
- compute.instances.setMetadata
- compute.projects.get
- compute.projects.setCommonInstanceMetadata
但是当我 运行 以下命令时,我得到以下输出:
+ ./google-cloud-sdk/bin/gcloud auth activate-service-account --key-file=./service-account.json
Activated service account credentials for: [scp-test@my-project.iam.gserviceaccount.com]
+ ./google-cloud-sdk/bin/gcloud beta compute scp hello.txt scp-test:c:/hello.txt --quiet --project=my-project --ssh-key-file=./.ssh/key --zone=us-east4-c
WARNING: The public SSH key file for gcloud does not exist.
WARNING: The private SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
Generating public/private rsa key pair.
Your identification has been saved in /Users/mac-user/Downloads/scp-test/.ssh/key.
Your public key has been saved in /Users/mac-user/Downloads/scp-test/.ssh/key.pub.
The key fingerprint is:
{OMMITED}
The key's randomart image is:
{OMMITED}
External IP address was not found; defaulting to using IAP tunneling.
Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.scp) Could not add SSH key to instance metadata:
- The user does not have access to service account '{OMMITED}-compute@developer.gserviceaccount.com'. User: 'scp-test@my-project.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
授予我的 scp-test 用户 iam.serviceAccountUser 角色有效,但这似乎是一种不好的做法,因为它使我的 scp-test 用户能够模拟默认帐户('{OMMITED}-compute@ developer.gserviceaccount.com'.),这似乎让它可以完全访问所有内容。
如何只授予它 SCP 所需的权限?
为了使用 SSH/SCP,您需要 Compute Engine 的实例管理员权限。
服务账户是指 gcloud 配置使用的服务账户 IAM 成员:scp-test@my-project.iam.gserviceaccount.com
您需要为服务帐户授予此角色:
roles/compute.instanceAdmin.v1
由于您的计算实例也配置为使用服务帐户,因此您的服务帐户也需要此角色:
roles/iam.serviceAccountUser