为具有关联服务账号的资源设置 ADC

某些 Google Cloud 服务(例如 Compute Engine、App Engine 和 Cloud Run functions)支持将用户管理的服务账号关联到某些类型的资源。通常,当服务的资源可以运行或包含应用代码时支持关联服务账号。将服务账号关联到资源后,该资源上运行的代码可以使用该服务账号作为其身份。

关联用户管理的服务账号是针对 Google Cloud 上运行的生产代码向 ADC 提供凭据的首选方式。

如需有关确定需要向服务账号提供的角色的帮助,请参阅选择预定义角色

如需了解可以将服务账号关联到的资源,以及有关将服务账号关联到资源的帮助,请参阅有关关联服务账号的 IAM 文档

Set up authentication:

  1. Create the service account:

    gcloud iam service-accounts create SERVICE_ACCOUNT_NAME

    Replace SERVICE_ACCOUNT_NAME with a name for the service account.

  2. To provide access to your project and your resources, grant a role to the service account:

    gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" --role=ROLE

    Replace the following:

    • SERVICE_ACCOUNT_NAME: the name of the service account
    • PROJECT_ID: the project ID where you created the service account
    • ROLE: the role to grant
  3. To grant another role to the service account, run the command as you did in the previous step.
  4. Grant the required role to the principal that will attach the service account to other resources.

    gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com --member="user:USER_EMAIL" --role=roles/iam.serviceAccountUser

    Replace the following:

    • SERVICE_ACCOUNT_NAME: the name of the service account
    • PROJECT_ID: the project ID where you created the service account
    • USER_EMAIL: the email address for a Google Account

后续步骤