Building Google Cloud Platform Solutions
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Service accounts

In general, it's best practice to use service accounts whenever possible. Let's get started with this by creating a service account and providing it with some resource-specific roles:

  1. To create a service account, go to the Service accounts section in IAM and click on Create Service Account.
  2. From here, provide a name and select any roles the service account will need. The name should be meaningful, generally including how it will be used.
  3. For this example, let's suppose the service account will be used by an inventory management service called inventory-manager, and that it will need to accept messages from Pub/Sub and update related records in a Cloud SQL instance.
  4. For this service, we likely want to name the service account inventory-management and grant it Pub/Sub Subscriber and Cloud SQL Client.

 

  1. Once those values are selected, select Furnish a new private key (JSON) and click on CREATE, as shown in the following screenshot:

This will result in a new service account being created with the specified values, and a JSON key for the account will be downloaded to your machine. This JSON file is a key pair for the service account you created. Google Cloud maintains an internal key pair for each service account, which is managed by Google and has its keys rotated daily. When creating production service accounts or any service account that will not be used locally, it is best practice to avoid generating external key pairs. In addition, it is recommended that external key pairs be audited regularly and unused key pairs be deleted. External keys can be deleted in the Cloud Console under Service accounts with the delete button to the right of the key ID.

Note that service accounts themselves support resource-level IAM policies. This means that project owners can specify which actors can use service accounts. All Google-managed service accounts, project owners, and project editors can use service accounts. Other actors can be added on a per-need basis from the Cloud Console IAM section under Service accounts by selecting the desired service account and clicking on PERMISSIONS.

In addition to the Cloud Console, IAM can be managed directly by API, via the Cloud Console mobile app, or using the gcloud iam command group. Because this service account was created for demonstration purposes, go ahead and delete the keys (or even the service account) now.

上一章目录下一章