部分 Google Cloud 服務 (例如 Compute Engine、App Engine 和 Cloud Run 函式) 支援將使用者管理的服務帳戶附加至某些類型的資源。一般來說,如果服務的資源可以執行或納入應用程式碼,系統就會支援附加服務帳戶。將服務帳戶附加至資源後,在資源上執行的程式碼就能使用該服務帳戶做為身分。
將使用者代管服務帳戶附加至 ADC,是為 Google Cloud上執行的正式版程式碼提供憑證的建議做法。
如需協助判斷要提供給服務帳戶的角色,請參閱「選擇預先定義的角色」。
如要瞭解可附加服務帳戶的資源,以及如何將服務帳戶附加至資源,請參閱這篇 IAM 說明文件。
Set up authentication:
-
Ensure that you have the Create Service Accounts IAM role
(
roles/iam.serviceAccountCreator). Learn how to grant roles. -
Create the service account:
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME
Replace
SERVICE_ACCOUNT_NAMEwith a name for the service account. -
To provide access to your project and your resources, grant a role to the service account:
gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" --role=ROLE
Replace the following:
SERVICE_ACCOUNT_NAME: the name of the service accountPROJECT_ID: the project ID where you created the service accountROLE: the role to grant
- To grant another role to the service account, run the command as you did in the previous step.
-
Grant the required role to the principal that will attach the service account to other resources.
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com --member="user:USER_EMAIL" --role=roles/iam.serviceAccountUser
Replace the following:
SERVICE_ACCOUNT_NAME: the name of the service accountPROJECT_ID: the project ID where you created the service accountUSER_EMAIL: the email address for a Google Account
後續步驟
- 瞭解使用服務帳戶和服務帳戶金鑰的最佳做法。
- 進一步瞭解 ADC 如何尋找憑證。
- 驗證以使用 Cloud 用戶端程式庫。
- 瞭解驗證方法。