问题描述

我们的目标是限制一部分GCS存储桶供一系列IP地址使用.

Our goal is to restrict a subset of our GCS buckets for use by a range of IP addresses.

我们在大学实验室中有几个GCP项目与一个普通的帐单帐户相关联，人们通常使用其gmail地址与GCP资源进行交互.我们认为我们需要使用 VPC服务控件在我们的存储桶周围设置服务范围.

We have several GCP projects in a university lab tied to a common billing account, where people generally use their gmail address for interacting with GCP resources. We believe we need to setup a service perimeter around our buckets using VPC Service Controls.

VPC服务控件似乎需要一个组织.创建组织似乎需要GSuite或Cloud Identity.这两个选项似乎都要求在特定域上设置帐户.我不想让人们创建其他帐户，然后迁移使用它们.

VPC Service Controls seem to require an organization. Creating an organization seems to require GSuite or Cloud Identity. Both of these options seem to require accounts to be setup on a specific domain. I do not want to ask people to create additional accounts, and migrate to using them.

是否存在一条使Gmail用户集合实现服务范围的途径?还是有另一种方法来获取GCS存储桶上的IP地址限制?

Is there a path forward to having a collection of gmail users implement a service perimeter? Or is there another way to get IP-address restriction on GCS buckets?

推荐答案

要使用VPC服务控件(允许您通过IP地址限制对Google Cloud Storage存储桶的访问)，您将需要一个组织.为了管理该组织中项目的资源，任何Google身份(gmail，云身份，G Suite)均有效.结合两者，您就可以解决问题！

To use VPC Service Controls (which allows you to restrict access to Google Cloud Storage buckets by IP address) you will require an organization. For managing resources for projects in that organization any Google identity (gmail, cloud identity, G Suite) is valid. Combine the two and you have your solution!

这篇关于带有Gmail用户的项目的服务范围的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！