Which PowerShell command can be used to grant someone access to a virtual machine?
This page describes how to use service accounts to enable apps running on your virtual machine (VM) instances to authenticate to Google Cloud APIs and authorize access to resources. Show
For more information about how Compute Engine uses service accounts, see the service accounts overview. Before you begin
Creating a new service accountYou can create and set up a new service account using IAM. After creating an account, grant the account one or more IAM roles, and then authorize a virtual machine instance to run as that service account. To create a new service account:
Setting up a new instance to run as a service accountAfter creating a new service account, you can create new virtual machine instances to run as the service account. If the service account is in a different project than the instances, you must configure the service account for a resource in a different project. If you want to assign or change a service account for an existing instance, see Changing the service account and access scopes for an instance instead. You can enable multiple virtual machine instances to use the same service account, but a virtual machine instance can only have one service account identity. If you assign the same service account to multiple virtual machine instances, any subsequent changes you make to the service account will affect instances using the service account. This includes any changes you make to the IAM roles granted to the service account. For example, if you remove a role, all instances using the service account will lose permissions granted by that role. Generally, you can just set the Alternatively, you can choose to set specific scopes that permit access to the particular API methods that the service will call. For example, to call the
You can set up a new instance to run as a service account through the Google Cloud console, the Google Cloud CLI, or directly through the API. Go to the Create an instance page. Go to Create an instance Specify the VM details. In the Identity and API access section, choose the service account you want to use from the drop-down list. Continue with the VM creation process. To create a new instance and authorize it to run as a
custom service account using the Google Cloud CLI, provide the service account email and desired access scopes for the instance. where: For example: The gcloud CLI also offers scope aliases in place of the longer scope URIs. For example, the scope for full access to Cloud Storage is You can see a list of scopes and scope
aliases on the
Specify the alias the same way you would specify the normal scope URI. For example:
APIIn the API, construct a standard request to
create an instance, but include the POST https://compute.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances { "machineType": "https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/machineTypes/[MACHINE_TYPE]", "name": "[INSTANCE_NAME]", "serviceAccounts": [ { "email": "[SERVICE_ACCOUNT_EMAIL]", "scopes": ["https://www.googleapis.com/auth/cloud-platform"] } ], ... } After you have set up an instance to run as the service account, an application running on the instance can use one of the following methods for authentication:
Authenticating applications using service account credentialsAfter setting up an instance to run as a service account, you can use service account credentials to authenticate applications running on the instance. Authenticating applications with a client libraryClient libraries can use Application Default Credentials to authenticate with Google APIs and send requests to those APIs. Application Default Credentials lets applications automatically obtain credentials from multiple sources so you can test your application locally and then deploy it to a Compute Engine instance without changing the application code. For information about setting up Application Default Credentials, see Provide credentials to Application Default Credentials. This example uses the Python client library to authenticate and make a request to the Cloud Storage API to list the buckets in a project. The example uses the following procedure:
You can run this sample on an instance that has access to manage buckets in Cloud Storage. Authenticating applications directly with access tokensFor most applications, you can authenticate by using Application Default Credentials, which finds credentials and manages tokens for you. However, if your application requires you to provide an OAuth2 access token, Compute Engine lets you get an access token from its metadata server for use in your application. There are several options for obtaining and using these access tokens to authenticate your applications. For example, you can
use To use On the instance where your application runs, query the metadata server for an access token by running the following command: The
request returns a response similar to: For API requests you need to include the Copy the value of the where: For information about the parameters that you can set in your request, see the parameters documentation. This example demonstrates how to request a token to access the Cloud Storage API in a Python application. The example uses the following procedure: Access tokens expire after a short period of time. The metadata server caches access tokens until they have 5 minutes of remaining time before they expire. You can request new tokens as frequently as you like, but your applications must have a valid access token for their API calls to succeed. Some applications might use commands from the This service account recognition happens automatically and applies only to the To take advantage of automatic service account recognition,
grant the appropriate IAM roles to the service account and set up an instance to run as a service account. For example, if you grant a service account the Likewise, if you enable Changing the service account and access scopes for an instanceIf you want to run the VM as a different identity, or you determine that the instance needs a different set of scopes to call the required APIs, you can change the service account and the access scopes of an existing instance. For example, you can change access scopes to grant access to a new API, you can remove the service account and access scopes to prevent a VM from accessing any Google Cloud services, or you can change a VM so that it runs as a service account that you created instead of the Compute Engine default service account. However, Google recommends that you use fine-grained IAM policies instead of relying on access scopes to control resource access for the service account. To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance. Use one of the following methods to the change service account or access scopes of the stopped instance. Go to the VM instances page. Go to VM instances Click the VM instance name for which you want to change the service account. If the instance is not stopped, click Stop. Wait for the instance to be stopped. Next, click Edit. Scroll down to the Service Account section. From the drop-down list, select the service account to assign to the instance.
Click Save to save your changes. gcloudUse the
where:
For example, the following command assigns the service account
APIIn the API, make a
where:
In the request body, provide the email address of the service account and the desired scope URIs for the instance. For more information about setting access scopes, see Best practices.
For example, the following request
uses the service account email
Obtaining a service account emailTo identify a service account, you need the service account email. Obtain a service account email through one of the following options: Go to the Service
Accounts page. Go to Service Accounts If prompted, select a project. The service accounts page lists all service accounts for the project and their emails. Use the If the instance isn't using a service account, you receive a response without the Query the metadata server from within the instance itself. Make a request to If you enabled one or more service accounts when you created the instance, this
If the instance isn't using a service account, you receive an empty response. Make a request to the Service Accounts API. Using the Compute Engine Default Service AccountIf you are familiar with the Compute Engine default service account and want to use the credentials provided by the default service account instead of creating new service accounts, you can grant IAM roles to the default service account. By default, all Compute Engine instances can run as the default service account. When you create an instance using the Google Cloud CLI or the Google Cloud console, and omit any service account specifications, the default service account is assigned to the instance. Before you assign IAM roles to the default service account, note that:
If you are unsure about granting IAM roles to the default service account, create a new service account instead. Follow these instructions to grant an IAM role to the default service account:
Any virtual machine instances that are currently running as the default service account will now have access to other Google Cloud APIs according to the IAM roles you granted to the account. If you want to set up a new instance to run as the default service account, follow these instructions: Go to the Create an instance page. Go to Create an instance Specify the VM details. In the Identity and API access section, choose Compute Engine default service account from the Service account drop-down list. Continue with the VM
creation process. To create a new instance and authorize it to have full access to all Google Cloud services using the default service account: In the API, construct a standard request to create an instance, but include the Best practices
What's next
Try it for yourselfIf you're new to Google Cloud, create an account to evaluate how Compute Engine performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads. Try Compute Engine free Which PowerShell command will find all services that begin with VM?Get-VM. The following Hyper-V PowerShell command allows you to see all of the VMs available on one or more Hyper-V hosts. To see all VMs on the local Hyper-V host, you should run the Get-VM cmdlet.
How can I grant different users the ability to manage HyperYou can grant users and groups different operation permissions over Hyper-V, or just over specific virtual machines (VMs).. From the Start menu, choose Run then enter mmc.exe.. From the File menu, select Add/Remove Snap-in.... Select Authorization Manager and click Add, as shown here, then click OK.. What is HyperHyper-V PowerShell Direct Service
Description: Provides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.
What is VMConnect?Virtual Machine Connection (VMConnect) is a tool you can use to connect to a virtual machine to install or interact with the guest operating system in a virtual machine. Some of the tasks you can perform by using VMConnect include the following: Start and shut down a virtual machine.
|