问题
I have spent the entire day today reading documentations and questions on stackexchange on trying to use service account to logon to a compute engine but have got no where.
I am new to google cloud, so pardon my knowledge.
We are trying to setup a long running service on a google compute engine. We want the service to be run as a system account but not on individual account so as to allow troubleshooting privileges across the team but not specific users. We thought that service account of GCP should be able to accomplish this but we havent been able to get to logon to a compute engine as a service account. We took the following steps to try this out -
- create service account and give serviceaccountuser permissions to the team. Also create rsa key for the service account that were distributed to the team.
- use gcloud auth activate-service-account to switch to the service account
- gcloud init to the service account and setup configuration
- use gcloud compute ssh .
We hoped to be able to logon to the instance as the service account since we switched identity before logging on. But we are not getting the desired effect.
questions -
- Can service accounts be actually used to logon to compute engine?
- if not, what is the purpose of configuring a service account to run as when creating a VM on GCP.
- if not, what is the right way to run a service on a compute engine using a system account that everybody can have access to?
- if yes, what are we missing?
Thanks a lot for solving the confusion in advance,
回答1:
The service account allows the Compute Engine instance to access other Google APIs. For example, the instance might need to access private content from Storage buckets or connect to a Datastore. See https://cloud.google.com/iam/docs/service-accounts
In order to give your team members (ssh) access to a compute engine instance, you add them as members to the project by adding their Google accounts. Specify their level of access so they can only list and ssh in, but not create or delete. I think you want a new role with "Compute OS Login" permission. They don't need billing set up either. See https://cloud.google.com/iam/docs/granting-changing-revoking-access
来源:https://stackoverflow.com/questions/50629040/logging-into-google-compute-engine-with-a-service-account