某些 Cloud de Confiance 服务(例如 Compute Engine、App Engine 和 Cloud Run functions)支持将用户管理的服务账号关联到某些类型的资源。通常,当服务的资源可以运行或包含应用代码时支持关联服务账号。将服务账号关联到资源后,该资源上运行的代码可以使用该服务账号作为其身份。
关联用户管理的服务账号是针对 Cloud de Confiance上运行的生产代码向 ADC 提供凭据的首选方式。
如需有关确定需要向服务账号提供的角色的帮助,请参阅选择预定义角色。
如需了解可以将服务账号关联到的资源,以及有关将服务账号关联到资源的帮助,请参阅有关关联服务账号的 IAM 文档。
Set up authentication:
-
Ensure that you have the Create Service Accounts IAM role
(
roles/iam.serviceAccountCreator). Learn how to grant roles. -
Create the service account:
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME
Replace
SERVICE_ACCOUNT_NAMEwith a name for the service account. -
To provide access to your project and your resources, grant a role to the service account:
gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.s3ns.iam.gserviceaccount.com" --role=ROLE
Replace the following:
SERVICE_ACCOUNT_NAME: the name of the service accountPROJECT_ID: the project ID where you created the service accountROLE: the role to grant
- To grant another role to the service account, run the command as you did in the previous step.
-
Grant the required role to the principal that will attach the service account to other resources.
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_NAME@PROJECT_ID.s3ns.iam.gserviceaccount.com --member="principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ID" --role=roles/iam.serviceAccountUser
Replace the following:
SERVICE_ACCOUNT_NAME: the name of the service account.PROJECT_ID: the project ID where you created the service account.POOL_ID: a workforce identity pool ID.-
SUBJECT_ID: a subject ID; typically the identifier for a user in a workforce identity pool. For details, see Represent workforce pool users in IAM policies.
后续步骤
- 了解使用服务账号和服务账号密钥的最佳实践。
- 详细了解 ADC 如何查找凭据。
- 使用 Cloud 客户端库时进行身份验证。
- 探索身份验证方法。