為已附加服務帳戶的資源設定 ADC

部分 Trusted Cloud 服務 (例如 Compute Engine、App Engine 和 Cloud Run 函式) 支援將使用者管理的服務帳戶附加至某些類型的資源。一般來說,如果服務的資源可以執行或納入應用程式碼,系統就支援附加服務帳戶。將服務帳戶附加至資源後,在資源上執行的程式碼就能使用該服務帳戶做為身分。

將使用者代管服務帳戶附加至 ADC,是為 Trusted Cloud上執行的正式版程式碼提供憑證的建議做法。

如需協助判斷要提供給服務帳戶的角色,請參閱「選擇預先定義的角色」。

如要瞭解可附加服務帳戶的資源,以及如何將服務帳戶附加至資源,請參閱這篇 IAM 說明文件

Set up authentication:

  1. Create the service account: 

    gcloud iam service-accounts create SERVICE_ACCOUNT_NAME

    Replace SERVICE_ACCOUNT_NAME with a name for the service account.

  2. To provide access to your project and your resources, grant a role to the service account: 

    gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.s3ns-system.iam.gserviceaccount.com" --role=ROLE

    Replace the following:

    • SERVICE_ACCOUNT_NAME: the name of the service account
    • PROJECT_ID: the project ID where you created the service account
    • ROLE: the role to grant
  3. To grant another role to the service account, run the command as you did in the previous step.

  4. Grant the required role to the principal that will attach the service account to other resources. 

    gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_NAME@PROJECT_ID.s3ns-system.iam.gserviceaccount.com --member="principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ID" --role=roles/iam.serviceAccountUser

    Replace the following:

    • SERVICE_ACCOUNT_NAME: the name of the service account.
    • PROJECT_ID: the project ID where you created the service account.
    • POOL_ID: a workforce identity pool ID.
    • SUBJECT_ID: a subject ID; typically the identifier for a user in a workforce identity pool. For details, see Represent workforce pool users in IAM policies.

後續步驟