URL - HackMD

# URL ## IAM Service Account ![](https://i.imgur.com/XF5TN9K.png) ![](https://i.imgur.com/bU4M3vK.png) ![](https://i.imgur.com/IFJVKPZ.jpg) ![](https://i.imgur.com/FEyfRN7.png) ![](https://i.imgur.com/n3ojJZO.jpg) ![](https://i.imgur.com/fBd2itp.png) 在IAM設定service account role condition `bucket-name`為你的Bucket名稱 Name starts with projects/_/buckets/[bucket-name] ![](https://i.imgur.com/XI1OKPd.png) ![](https://i.imgur.com/VpZALkS.jpg) ![](https://i.imgur.com/bTcDaOr.jpg) ![](https://i.imgur.com/BqE4Tah.jpg) ![](https://i.imgur.com/jzkEltK.jpg) 利用gsutil -i指令，利用service account去訪問Storage Bucket `[service_account]`: webserver@cxcxc-demo-2023-02-04-scheepy.iam.gserviceaccount.com `[bucket_name]`: gs://cxcxc-demo-2023-02-04-scheepy ```bash $ gsutil -i webserver@cxcxc-demo-2023-02-04-scheepy.iam.gserviceaccount.com ls gs://cxcxc-demo-2023-02-04-scheepy ``` ![](https://i.imgur.com/PvwG6qj.jpg) 第一代權限管理問題，user account serviec_account 權限混淆。第二代"": user <font color="red">只能</font>模擬 service_account ~~1. Storage Admin + Conditional~~ 2. more stronger, specified action 多專案情況(P1,P2,P3) user_a(ua), user_b(ub) 建立Project_A(PA), Service_Account on PA(SA) SA 針對 P1, P2, P3 各自的動作，ua, ub 操作 SA Group 為頂層結構，面向的是多專案，單一專案改權限就要再開一個group 會有group過多過複雜 Summary: 第一代：人操作資源，會有瑕疵 1. 同一個user在project中有多重身份 2. 專案的持續演進，user and service account分歧，維運上造成麻煩 3. 多重專案管理錯綜複雜第二代：User Account 模擬 Service Account，利用Service Account操作資源 ## oslogin VM 上面跑專案，專案裡頭有很多APP，只允予管理APP但不能操作其他資源，透過以下方式進行管理若要使用該權限連入VM，需以下權限： * Oslogin權限 ### Oslogin 流程 ![](https://i.imgur.com/fOr1rXA.jpg) ![](https://i.imgur.com/42JOexx.jpg) ## Customer Role ![](https://i.imgur.com/s158drW.jpg) ## 總複習 ![](https://i.imgur.com/OB237QV.png) ![](https://i.imgur.com/gzzYaWz.png) ![](https://i.imgur.com/3sbY59k.png)