我想针对已经在Google Cloud中运行的VM进行自动化部署,作为其一部分,我试图使用服务帐户将我的文件SCP传输到GCP中的VM,但不幸的是, ,我似乎无法弄清楚正确的权限应该是什么。
在仔细阅读文档后,我拥有一个具有以下权限的服务帐户:
但是当我运行以下命令时,我得到以下输出:
+ ./google-cloud-sdk/bin/gcloud auth activate-service-account --key-file=./service-account.json
Activated service account credentials for: [scp-test@my-project.iam.gserviceaccount.com]
+ ./google-cloud-sdk/bin/gcloud beta compute scp hello.txt scp-test:c:/hello.txt --quiet --project=my-project --ssh-key-file=./.ssh/key --zone=us-east4-c
WARNING: The public SSH key file for gcloud does not exist.
WARNING: The private SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
Generating public/private rsa key pair.
Your identification has been saved in /Users/mac-user/Downloads/scp-test/.ssh/key.
Your public key has been saved in /Users/mac-user/Downloads/scp-test/.ssh/key.pub.
The key fingerprint is:
{OMMITED}
The key's randomart image is:
{OMMITED}
External IP address was not found; defaulting to using IAP tunneling.
Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.scp) Could not add SSH key to instance metadata:
- The user does not have access to service account '{OMMITED}-compute@developer.gserviceaccount.com'. User: 'scp-test@my-project.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
授予我的scp测试用户iam.serviceAccountUser角色有效,但这似乎是一种不好的做法,因为这样会使我的scp测试用户能够模拟默认帐户('{OMMITED}-compute@developer.gserviceaccount。 com'),然后似乎可以完全访问所有内容。
我如何仅向其授予SCP所需的权限?
答案 0 :(得分:-1)
要使用SSH / SCP,您需要拥有Compute Engine的实例管理员权限。
服务帐户是指gcloud配置为使用的服务帐户IAM成员:scp-test@my-project.iam.gserviceaccount.com
您需要赋予服务帐户该角色:
roles/compute.instanceAdmin.v1
由于您的计算实例还配置为使用服务帐户,因此您也需要该角色用于服务帐户:
roles/iam.serviceAccountUser