"Service Account User" role 如果不是为了模仿,那还有什么意义呢?
What is the point of "Service Account User" role if it's not for impersonation?
服务帐户用户角色的文档有点混乱。
https://cloud.google.com/iam/docs/service-accounts#user-role
Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access. For example, if a service account has been granted the Compute Admin role (roles/compute.admin), a user that has been granted the Service Account Users role (roles/iam.serviceAccountUser) on that service account can act as the service account to start a Compute Engine instance. In this flow, the user impersonates the service account to perform any tasks using its granted roles and permissions.
基于此,我假设通过向我的帐户授予所有者服务帐户的服务帐户用户角色,我应该能够从命令行模拟该服务帐户并且 运行 gcloud 具有服务帐户继承权限的命令
gcloud init # login to my account that has the user role on the SA
gcloud set config auth/impersonate_service_account <service-account-email>
gcloud compute instances list
> WARNING: This command is using service account impersonation. All API calls will be executed as [<service-account>@<project>.iam.gserviceaccount.com].
> ERROR: (gcloud.compute.instances.list) Failed to impersonate [<service-account>@<project>.iam.gserviceaccount.com]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.
所以我删除了用户角色并为自己分配了 Token Creator 角色。按预期工作。为什么对 User 角色的描述听起来像是我打算使用的角色,但似乎 Token Creator 是我唯一需要的角色?
因此,尽管 GCP 文档令人困惑,但我认为我能够就以下两者之间的区别得出结论:
- 服务帐户用户
- 服务帐户令牌创建者
例如,如果我想部署一个 GKE 集群,但要为节点指定一个服务帐户而不是默认服务帐户,我会添加标志:
gcloud containers cluster create my-cluster --service-account=<service-account>
要执行此操作,我至少需要 Service Account User 我尝试分配给资源的服务帐户。此角色似乎也用于其他情况,例如在 VM 上执行代码并改用 VM 身份 (??)。
如果我想使用服务帐户凭据(即不是我自己的帐户)部署集群,我会使用需要 Token Creator 角色的模拟。我可能想这样做,因为我的个人帐户没有部署集群的权限,但 SA 有。
gcloud containers cluster create my-cluster --impersonate-service-account=<service-account>
这将构建集群并将操作记录为服务帐户的操作,而不是我的个人帐户。
如有错误请指正
服务帐户用户角色的文档有点混乱。
https://cloud.google.com/iam/docs/service-accounts#user-role
Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access. For example, if a service account has been granted the Compute Admin role (roles/compute.admin), a user that has been granted the Service Account Users role (roles/iam.serviceAccountUser) on that service account can act as the service account to start a Compute Engine instance. In this flow, the user impersonates the service account to perform any tasks using its granted roles and permissions.
基于此,我假设通过向我的帐户授予所有者服务帐户的服务帐户用户角色,我应该能够从命令行模拟该服务帐户并且 运行 gcloud 具有服务帐户继承权限的命令
gcloud init # login to my account that has the user role on the SA
gcloud set config auth/impersonate_service_account <service-account-email>
gcloud compute instances list
> WARNING: This command is using service account impersonation. All API calls will be executed as [<service-account>@<project>.iam.gserviceaccount.com].
> ERROR: (gcloud.compute.instances.list) Failed to impersonate [<service-account>@<project>.iam.gserviceaccount.com]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.
所以我删除了用户角色并为自己分配了 Token Creator 角色。按预期工作。为什么对 User 角色的描述听起来像是我打算使用的角色,但似乎 Token Creator 是我唯一需要的角色?
因此,尽管 GCP 文档令人困惑,但我认为我能够就以下两者之间的区别得出结论:
- 服务帐户用户
- 服务帐户令牌创建者
例如,如果我想部署一个 GKE 集群,但要为节点指定一个服务帐户而不是默认服务帐户,我会添加标志:
gcloud containers cluster create my-cluster --service-account=<service-account>
要执行此操作,我至少需要 Service Account User 我尝试分配给资源的服务帐户。此角色似乎也用于其他情况,例如在 VM 上执行代码并改用 VM 身份 (??)。
如果我想使用服务帐户凭据(即不是我自己的帐户)部署集群,我会使用需要 Token Creator 角色的模拟。我可能想这样做,因为我的个人帐户没有部署集群的权限,但 SA 有。
gcloud containers cluster create my-cluster --impersonate-service-account=<service-account>
这将构建集群并将操作记录为服务帐户的操作,而不是我的个人帐户。
如有错误请指正