使用云存储时，对Cloud KMS密钥的权限被拒绝 [英] Permission denied on Cloud KMS key when using cloud storage

问题描述

我正在使用cloud storage用kms密钥上传文件.这是我的代码:

I am using cloud storage upload a file with kms key. Here is my code:

await storage.bucket(config.bucket).upload(file, {
  kmsKeyName: `projects/${process.env.PROJECT_ID}/locations/global/keyRings/test/cryptoKeys/nodejs-gcp`,
  destination: 'mmczblsq.kms.encrypted.doc'
});

我有一个具有cloud storage admin权限的cloud-storage-admin.json服务帐户.使用该服务帐户初始化storage.

I have a cloud-storage-admin.json service account with cloud storage admin permission. Initialize the storage with this service account.

const storage: Storage = new Storage({
  projectId: process.env.PROJECT_ID,
  keyFilename: path.resolve(__dirname, '../.gcp/cloud-storage-admin.json')
});

而且，我使用gcloud kms keys add-iam-policy-binding将roles/cloudkms.cryptoKeyEncrypterDecrypter添加到cloud-storage-admin.json服务帐户.

And, I use gcloud kms keys add-iam-policy-binding add roles/cloudkms.cryptoKeyEncrypterDecrypter to cloud-storage-admin.json service account.

当我尝试使用kms密钥上传文件时，仍然出现此权限错误:

When I try to upload a file with kms key, still got this permission error:

对Cloud KMS密钥的权限被拒绝.请确保您的Cloud Storage服务帐户已被授权使用此密钥.

Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key.

更新

☁  nodejs-gcp [master] ⚡  gcloud kms keys get-iam-policy nodejs-gcp --keyring=test --location=global
bindings:
- members:
  - serviceAccount:cloud-storage-admin@<PROJECT_ID>.iam.gserviceaccount.com
  - serviceAccount:service-16536262744@gs-project-accounts.iam.gserviceaccount.com
  role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: BwWJ2Pdc5YM=
version: 1

推荐答案

使用kmsKeyName时，Google Cloud Storage是调用KMS的实体，而不是您的服务帐户.这有点令人困惑:

When you use kmsKeyName, Google Cloud Storage is the entity calling KMS, not your service account. It's a bit confusing:

1. 您的服务帐户有权调用Cloud Storage API
2. 然后，Cloud Storage Service帐户在传输过程中调用KMS API

您将需要获取Cloud Storage服务帐户并授予该服务帐户可以调用Cloud KMS:

You will need to get the Cloud Storage service account and grant that service account the ability to invoke Cloud KMS:

• 选项1:打开API资源管理器，授权并执行

• 选项2:安装 gcloud ，对gcloud进行身份验证，安装 oauth2l ，然后运行此curl命令，将[PROJECT_ID]替换为您的项目ID:

• Option 1: Open the API explorer, authorize, and execute

• Option 2: Install gcloud, authenticate to gcloud, install oauth2l, and run this curl command replacing [PROJECT_ID] with your project ID:

curl -X GET -H "$(oauth2l header cloud-platform)" \
  "https://www.googleapis.com/storage/v1/projects/[PROJECT_ID]/serviceAccount"

选项3:相信我，它的格式为service-[PROJECT_NUMBER]@gs-project-accounts.iam.gserviceaccount.com，并从 gcloud projects list 或网络界面.

Option 3: Trust me that it's in the format service-[PROJECT_NUMBER]@gs-project-accounts.iam.gserviceaccount.com and get your [PROJECT_NUMBER] from gcloud projects list or the web interface.

这篇关于使用云存储时，对Cloud KMS密钥的权限被拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！