IAM权限运行“ gcloud计算图像导入”

时间:2019-02-27 18:09:12

标签: google-cloud-platform gcloud

我们正在尝试使用以下命令将图像导入GCP

gcloud compute images import

在服务帐户的上下文中。运行此命令时,该消息指出它想将服务帐户的权限提升为“服务帐户角色”。由于不建议使用此角色(即-https://cloud.google.com/iam/docs/service-accounts#the_service_account_actor_role),因此无法有效地将服务帐户设置为“服务帐户用户”和“服务帐户令牌创建者”的建议。该命令的正确角色或角色集是什么?

我们正在为gcloud cli运行以下版本

Google Cloud SDK 232.0.0
alpha 2019.01.27
beta 2019.01.27 
bq 2.0.40
core 2019.01.27
gsutil 4.35
kubectl 2019.01.27

此外,如果这不是询问此类问题的正确论坛,请告诉我,我很乐意将其移至正确的位置。

2 个答案:

答案 0 :(得分:0)

如果这是一次性操作,则将图像上传到存储桶,然后从云外壳执行gcloud compute image import -这将使用您的用户权限(可能是所有者)执行。像gs://my-bucket/my-image.vmd

一样引用外壳中的图像

如果您被迫在VM或其他资源上使用服务帐户,则以下说明将是必要的。

您需要(a)标识有效的服务帐户,并(b)授予roles/compute.admin角色。

(a)标识服务帐户

在运行gcloud compute images import的系统上,运行此命令以标识活动的服务帐户

gcloud auth list
      Credentialed Accounts
ACTIVE  ACCOUNT
*       SERVICE_ACCOUNT@googlexxx.com

(b)添加role / compute.admin角色

您需要添加角色roles/compute.admin(工作后,为POLP查找特权角色)

打开一个单独的Google Cloud Shell或另一个通过“所有者”角色进行身份验证的外壳。
授予role.computeAdmin权限

# replace this with the active service acct above
ACTIVE_SERVICE_ACCOUNT=SERVICE_ACCOUNT@googlexxx.com
gcloud projects add-iam-policy-binding $GOOGLE_CLOUD_PROJECT \
--member="serviceAccount:${ACTIVE_SERVICE_ACCOUNT}" \
--role=roles/compute.admin

答案 1 :(得分:0)

这对我有用(对我而言,compute.admin还不够):

# this project hosts the service account and the instance that the service account calls `gcloud compute images import ...` from.
worker_project=my-playground-for-building-stuff

# this project hosts your images (it can be the same project as ${worker_project} if that's how you roll)
image_project=my-awesome-custom-images

# this bucket will host resources required by, and artifacts created by cloudbuild during image creation (if you have already run `gcloud compute images import ...` as a normal user (not serviceaccount), then the bucket probably already exists in your ${image_project})
cloudbuild_bucket=${image_project}-daisy-bkt-us

# this is your service account in your ${worker_project}
service_account=my-busy-minion-who-loves-to-work@${worker_project}.iam.gserviceaccount.com


for legacy_role in legacyBucketReader legacyBucketWriter; do
  gsutil iam ch serviceAccount:${service_account}:${legacy_role} gs://${cloudbuild_bucket}
done
for role in editor compute.admin iam.serviceAccountTokenCreator iam.serviceAccountUser; do
  gcloud projects add-iam-policy-binding ${image_project} --member serviceAccount:${service_account} --role roles/${role}
done
for api in cloudbuild cloudresourcemanager; do
  gcloud services enable ${api}.googleapis.com --project ${worker_project}
done
相关问题
最新问题