我知道可以通过UI(Cloud Console)完成,也可以分配角色。但是如何轻松地授予单个权限呢?
比如,我使用新创建的服务帐户将图像推送到Google容器注册表时,出现错误,提示该服务帐户没有storage.buckets.get
权限。在CLI中最简单的方式是授予这个特定的权限是什么?
我知道可以通过UI(Cloud Console)完成,也可以分配角色。但是如何轻松地授予单个权限呢?
比如,我使用新创建的服务帐户将图像推送到Google容器注册表时,出现错误,提示该服务帐户没有storage.buckets.get
权限。在CLI中最简单的方式是授予这个特定的权限是什么?
Using the gcloud
CLI you can create a custom role with
gcloud iam roles create
, i.e:
gcloud iam roles create bucketViewer \
--project example-project-id-1 \
--title "Bucket viewer" \
--description "This role has only the storage.buckets.get permission" \
--permissions storage.buckets.get
This will create a custom role with the ID bucketViewer
, for the
project ID example-project-id-1
, containing only the permission
storage.buckets.get
. Replace these values as desired and
accordingly.
Once done, you can assign this custom role also with a single gcloud
command by using gcloud projects add-iam-policy-binding
:
gcloud projects add-iam-policy-binding example-project-id-1 \
--member='serviceAccount:test-proj1@example.domain.com' \
--role='projects/example-project-id-1/roles/bucketViewer'
Replace example-project-id-1
with your project ID, and
test-proj1@example.domain.com
with the actual name of the service
account you want to assign the role to.
桶 => 目标桶行的三个点菜单 => 编辑访问权限
... 不,这不在服务帐号权限选项卡中...
gcloud projects add-iam-policy-binding \
<your-project-name-id> \
--member='serviceAccount:service-<1234567890>@compute-system.iam.gserviceaccount.com' \
--role='roles/compute.instanceAdmin.v1'
service-
开头的服务帐号在GCP IAM GUI中不可见)。