部分 Cloud de Confiance 服務 (例如 Compute Engine、App Engine 和 Cloud Run 函式) 支援將使用者管理的服務帳戶附加至某些類型的資源。一般來說,如果服務的資源可以執行或納入應用程式碼,系統就會支援附加服務帳戶。將服務帳戶附加至資源後,在資源上執行的程式碼就能使用該服務帳戶做為身分。
將使用者代管服務帳戶附加至 ADC,是為 Cloud de Confiance上執行的正式版程式碼提供憑證的建議做法。
如需協助判斷要提供給服務帳戶的角色,請參閱「選擇預先定義的角色」。
如要瞭解可附加服務帳戶的資源,以及如何將服務帳戶附加至資源,請參閱這篇 IAM 說明文件。
Set up authentication:
-
Ensure that you have the Create Service Accounts IAM role
(
roles/iam.serviceAccountCreator). Learn how to grant roles. -
Create the service account:
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME
Replace
SERVICE_ACCOUNT_NAMEwith a name for the service account. -
To provide access to your project and your resources, grant a role to the service account:
gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.s3ns.iam.gserviceaccount.com" --role=ROLE
Replace the following:
SERVICE_ACCOUNT_NAME: the name of the service accountPROJECT_ID: the project ID where you created the service accountROLE: the role to grant
- To grant another role to the service account, run the command as you did in the previous step.
-
Grant the required role to the principal that will attach the service account to other resources.
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_NAME@PROJECT_ID.s3ns.iam.gserviceaccount.com --member="principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ID" --role=roles/iam.serviceAccountUser
Replace the following:
SERVICE_ACCOUNT_NAME: the name of the service account.PROJECT_ID: the project ID where you created the service account.POOL_ID: a workforce identity pool ID.-
SUBJECT_ID: a subject ID; typically the identifier for a user in a workforce identity pool. For details, see Represent workforce pool users in IAM policies.
後續步驟
- 瞭解使用服務帳戶和服務帳戶金鑰的最佳做法。
- 進一步瞭解 ADC 如何尋找憑證。
- 驗證以使用 Cloud 用戶端程式庫。
- 瞭解驗證方法。