使用 Cloud SDK CLI 正确授予用户对 Google 云平台服务帐户的访问权限

Properly Granting Users Access to Google Cloud Platform Service Accounts Using the Cloud SDK CLI

给定一个 Google 云平台 (GCP) 服务帐户 $GCP_SERVICE_ACCOUNT_NAME,授予用户的正确方法是什么:

使用 GCP Cloud SDK (gcloud) 而不是控制台中的 this 页面?

换句话说,如果 $GCP_SERVICE_ACCOUNT_NAME 是在 GCP 项目 $GCP_PROJECT_NAME 中创建的:

gcloud iam service-accounts create $GCP_SERVICE_ACCOUNT_NAME \
--description=$GCP_SERVICE_ACCOUNT_DESCRIPTION \
--display-name=$GCP_SERVICE_ACCOUNT_NAME

#=>

Created service account [$GCP_SERVICE_ACCOUNT_NAME].

并通过一些策划角色被授予权限:

gcloud projects add-iam-policy-binding $GCP_PROJECT_NAME \
--member="serviceAccount:$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com" \
--role=$GCP_CURATED_ROLE

#=>

Updated IAM policy for project [$GCP_PROJECT_NAME].
bindings:
. . .
- members:
  . . .
  - serviceAccount:$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com
  role: $GCP_CURATED_ROLE
  . . .
. . .
etag: . . .
version: 1

哪些 gcloud 组和命令会授予用户部署作业和虚拟机的权限以及管理 $GCP_SERVICE_ACCOUNT_NAME 的权限?

使用 gcloud 创建服务帐户的官方 GCP 文档 here 建议使用 add-iam-policy-binding 命令“允许用户模拟服务帐户”:

gcloud iam service-accounts add-iam-policy-binding \
$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com \
--member="user:$GCP_USER_NAME" \
--role="roles/iam.serviceAccountUser"

#=>

Updated IAM policy for serviceAccount [$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com].
bindings:
- members:
  - user:$GCP_USER_NAME
  role: roles/iam.serviceAccountUser
etag: . . .
version: 1

与:

gcloud config list account --format="value(core.account)"

#=>

$GCP_USER_NAME

这是否意味着 $GCP_USER_NAME 能够使用 $GCP_SERVICE_ACCOUNT_NAME、管理 $GCP_SERVICE_ACCOUNT_NAME 或两者部署作业和虚拟机?

绑定 roles/iam.serviceAccountUser 策划角色授予 $GCP_USER_NAME_ALPHA 使用 $GCP_SERVICE_ACCOUNT_NAME 部署作业和虚拟机的权限:

gcloud iam service-accounts add-iam-policy-binding \
$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com \
--member="user:$GCP_USER_NAME_ALPHA" \
--role="roles/iam.serviceAccountUser"

#=>

Updated IAM policy for serviceAccount [$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com].
bindings:
- members:
  - user:$GCP_USER_NAME_ALPHA
  role: roles/iam.serviceAccountUser
etag: . . .
version: 1

绑定 roles/iam.serviceAccountAdmin 策划角色授予 $GCP_USER_NAME_BETA 管理 $GCP_SERVICE_ACCOUNT_NAME:

的权限
gcloud iam service-accounts add-iam-policy-binding \
$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com \
--member="user:$GCP_USER_NAME_BETA" \
--role="roles/iam.serviceAccountAdmin"

#=>

Updated IAM policy for serviceAccount [$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com].
bindings:
- members:
  - user:$GCP_USER_NAME_BETA
  role: roles/iam.serviceAccountAdmin
etag: . . .
version: 1

如果 $GCP_SERVICE_ACCOUNT_NAME 是使用控制台 (here) 而不是 gcloud 创建的,仍然可以通过以下方式验证绑定:

gcloud iam service-accounts get-iam-policy \
$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com

#=>

bindings:
- members:
  - user:$GCP_USER_NAME_BETA
  role: roles/iam.serviceAccountAdmin
- members:
  - user:$GCP_USER_NAME_ALPHA
  role: roles/iam.serviceAccountUser
etag: . . .
version: 1

官方 GCP 文档。 提及两个角色 here, but don't use the same language found in the Service Account creation portion of the console. There also is not an "Equivalent COMMAND LINE" dialog on this 页。