如何限制 Google 服务帐户?
How do I restrict a Google service account?
如果我在我的项目中创建一个服务帐户并将其提供给第三方,该第三方是否可以滥用它来创建 VM 实例等?还是只允许它做我明确允许做的事情?
在 Google 开发人员控制台的 "permissions" 部分,我可以将服务帐户设置为 "Can edit" 或 "Can view",但这些是什么意思?
如果您授予 "edit" 或 "owner" 权限,则用户可以创建、修改或删除 GCE VM 实例(以及其他资源)。如果您只授予 "view" 权限,则他们无法创建、修改或删除 GCE VM 实例。
但是,您不能授予细粒度的权限,例如 "user can only edit this VM instance, but not this other one"。
根据 Google Compute Engine docs:
Can View
Provides READ access:
- Can see the state of your instances.
- Can list and get any resource type.
Can Edit
Provides "Can View" access, plus:
- Can modify instances.
- On standard images released after March 22, 2012, can ssh into the
project's instances.
Is Owner
Provides "Can Edit" access, plus:
- Can change membership of the project.
Project team members are given the following permissions based on
their roles:
All Project Team Members
All project team members can list buckets
within a project.
Project Editors
All project editors can list, create, and delete buckets.
Project Owners
All project owners can list, create, and delete buckets, and can also perform administrative tasks like adding and removing team members and changing billing. The project owners group is the owner of all buckets within a project, regardless of who may be the original bucket creator.
When you create a bucket without specifying an ACL, the project-private ACL is applied to the bucket automatically. This ACL provides additional permissions to team members, as described in default bucket ACLs.
Team members may be authorized to have one of three levels of access:
- “can View” (called Viewer in App Engine Console) allows read-only
access.
“can Edit” (called Developer in App Engine Console) allows
modify and delete access.
This allows a developer to deploy the
application and modify or configure its resources.
“is Owner” (called
Owner in App Engine Console) allows full administrative access.
This
includes the ability to add members and set the authorization level of
team members.
如果我在我的项目中创建一个服务帐户并将其提供给第三方,该第三方是否可以滥用它来创建 VM 实例等?还是只允许它做我明确允许做的事情?
在 Google 开发人员控制台的 "permissions" 部分,我可以将服务帐户设置为 "Can edit" 或 "Can view",但这些是什么意思?
如果您授予 "edit" 或 "owner" 权限,则用户可以创建、修改或删除 GCE VM 实例(以及其他资源)。如果您只授予 "view" 权限,则他们无法创建、修改或删除 GCE VM 实例。
但是,您不能授予细粒度的权限,例如 "user can only edit this VM instance, but not this other one"。
根据 Google Compute Engine docs:
Can View
Provides READ access:
- Can see the state of your instances.
- Can list and get any resource type.
Can Edit
Provides "Can View" access, plus:
- Can modify instances.
- On standard images released after March 22, 2012, can ssh into the project's instances.
Is Owner
Provides "Can Edit" access, plus:
- Can change membership of the project.
Project team members are given the following permissions based on their roles:
All Project Team Members
All project team members can list buckets within a project.
Project Editors
All project editors can list, create, and delete buckets.
Project Owners
All project owners can list, create, and delete buckets, and can also perform administrative tasks like adding and removing team members and changing billing. The project owners group is the owner of all buckets within a project, regardless of who may be the original bucket creator.
When you create a bucket without specifying an ACL, the project-private ACL is applied to the bucket automatically. This ACL provides additional permissions to team members, as described in default bucket ACLs.
Team members may be authorized to have one of three levels of access:
- “can View” (called Viewer in App Engine Console) allows read-only access.
“can Edit” (called Developer in App Engine Console) allows modify and delete access.
This allows a developer to deploy the application and modify or configure its resources.
“is Owner” (called Owner in App Engine Console) allows full administrative access.
This includes the ability to add members and set the authorization level of team members.