问题
I have heard that if the service account is having high privileges, but access scopes are restrictive, and we need to somehow authenticate to services without OAuth, then we can re-authenticate the service account with the keys that we have (assuming we got somehow).
So is it true, re-authenticating the service account can give us cloud-platform scopes?
gcloud auth activate-service-account --key-file key.json
回答1:
Scopes are an OAuth permission mechanism. Google Cloud first started with "Scopes" as the permission method before IAM was developed.
Service Accounts do not use scopes in a way that you manage unless you are writing your own authorization code. Service Accounts use IAM Roles for permission control. You can specify scopes when writing low-level code, but that is not necessary or recommended.
Google Compute Engine originally used OAuth scopes for permissions and still offers that feature. Compute Engine Scopes limit the permissions assigned to the service account assigned to Compute Engine. Scopes do not add permissions to the service account.
For the following command"
gcloud auth activate-service-account --key-file key.json
If you run this command on your desktop or in Compute Engine, you are telling the CLI and tools developed with the SDK to use the specified service account for authorization. The scope "cloud-platform" does not matter here. The IAM roles assigned to the service account determine permissions. The scopes that you assigned to the instance are not used by this command. Only the credentials located in the Compute Engine instance metadata (the original credentials) continue to be affected by scopes.
Summary:
Scopes are a legacy authorization mechanism. IAM is the preferred and required authentication method meaning you must set permissions via IAM Roles. Scopes cannot do that for you. You can mix the two but I do not recommend that. Use the scope cloud-platform and control authorization via IAM Roles.
A service account with the scope "cloud-platform" and no IAM Roles has NO permissions.
来源:https://stackoverflow.com/questions/65103633/what-happens-when-re-authenticating-the-service-account-with-gcloud